[House Hearing, 112 Congress]
[From the U.S. Government Publishing Office]
BALANCING PRIVACY AND INNOVATION: DOES THE PRESIDENT'S PROPOSAL TIP THE
SCALE?
=======================================================================
HEARING
BEFORE THE
SUBCOMMITTEE ON COMMERCE, MANUFACTURING, AND TRADE
OF THE
COMMITTEE ON ENERGY AND COMMERCE
HOUSE OF REPRESENTATIVES
ONE HUNDRED TWELFTH CONGRESS
SECOND SESSION
__________
MARCH 29, 2012
__________
Serial No. 112-135
Printed for the use of the Committee on Energy and Commerce
energycommerce.house.gov
----------
U.S. GOVERNMENT PRINTING OFFICE
81-441 PDF WASHINGTON : 2013
For sale by the Superintendent of Documents, U.S. Government Printing
Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800;
DC area (202) 512-1800 Fax: (202) 512-2104 Mail: Stop IDCC,
Washington, DC 20402-0001
COMMITTEE ON ENERGY AND COMMERCE
FRED UPTON, Michigan
Chairman
JOE BARTON, Texas HENRY A. WAXMAN, California
Chairman Emeritus Ranking Member
CLIFF STEARNS, Florida JOHN D. DINGELL, Michigan
ED WHITFIELD, Kentucky Chairman Emeritus
JOHN SHIMKUS, Illinois EDWARD J. MARKEY, Massachusetts
JOSEPH R. PITTS, Pennsylvania EDOLPHUS TOWNS, New York
MARY BONO MACK, California FRANK PALLONE, Jr., New Jersey
GREG WALDEN, Oregon BOBBY L. RUSH, Illinois
LEE TERRY, Nebraska ANNA G. ESHOO, California
MIKE ROGERS, Michigan ELIOT L. ENGEL, New York
SUE WILKINS MYRICK, North Carolina GENE GREEN, Texas
Vice Chairman DIANA DeGETTE, Colorado
JOHN SULLIVAN, Oklahoma LOIS CAPPS, California
TIM MURPHY, Pennsylvania MICHAEL F. DOYLE, Pennsylvania
MICHAEL C. BURGESS, Texas JANICE D. SCHAKOWSKY, Illinois
MARSHA BLACKBURN, Tennessee CHARLES A. GONZALEZ, Texas
BRIAN P. BILBRAY, California TAMMY BALDWIN, Wisconsin
CHARLES F. BASS, New Hampshire MIKE ROSS, Arkansas
PHIL GINGREY, Georgia JIM MATHESON, Utah
STEVE SCALISE, Louisiana G.K. BUTTERFIELD, North Carolina
ROBERT E. LATTA, Ohio JOHN BARROW, Georgia
CATHY McMORRIS RODGERS, Washington DORIS O. MATSUI, California
GREGG HARPER, Mississippi DONNA M. CHRISTENSEN, Virgin
LEONARD LANCE, New Jersey Islands
BILL CASSIDY, Louisiana KATHY CASTOR, Florida
BRETT GUTHRIE, Kentucky JOHN P. SARBANES, Maryland
PETE OLSON, Texas
DAVID B. McKINLEY, West Virginia
CORY GARDNER, Colorado
MIKE POMPEO, Kansas
ADAM KINZINGER, Illinois
H. MORGAN GRIFFITH, Virginia
_____
Subcommittee on Commerce, Manufacturing, and Trade
MARY BONO MACK, California
Chairman
MARSHA BLACKBURN, Tennessee G.K. BUTTERFIELD, North Carolina
Vice Chairman Ranking Member
CLIFF STEARNS, Florida CHARLES A. GONZALEZ, Texas
CHARLES F. BASS, New Hampshire JIM MATHESON, Utah
GREGG HARPER, Mississippi JOHN D. DINGELL, Michigan
LEONARD LANCE, New Jersey EDOLPHUS TOWNS, New York
BILL CASSIDY, Louisiana BOBBY L. RUSH, Illinois
BRETT GUTHRIE, Kentucky JANICE D. SCHAKOWSKY, Illinois
PETE OLSON, Texas JOHN P. SARBANES, Maryland
DAVID B. McKINLEY, West Virginia HENRY A. WAXMAN, California (ex
MIKE POMPEO, Kansas officio)
ADAM KINZINGER, Illinois
JOE BARTON, Texas
FRED UPTON, Michigan (ex officio)
(ii)
C O N T E N T S
----------
Page
Hon. Mary Bono Mack, a Representative in Congress from the State
of California, opening statement............................... 1
Prepared statement........................................... 4
Hon. G.K. Butterfield, a Representative in Congress from the
State of North Carolina, opening statement..................... 6
Hon. Fred Upton, a Representative in Congress from the State of
Michigan, opening statement.................................... 7
Prepared statement........................................... 9
Hon. Marsha Blackburn, a Representative in Congress from the
State of Tennessee, opening statement.......................... 11
Witnesses
Lawrence E. Strickling, Assistant Secretary for Communication and
Information, Department of Commerce............................ 12
Prepared statement........................................... 14
Answers to submitted questions............................... 200
Jon Leibowitz, Chairman, Federal Trade Commission................ 37
Prepared statement........................................... 39
Answers to submitted questions............................... 210
Berin Szoka, President, TechFreedom.............................. 91
Prepared statement........................................... 94
Answers to submitted questions............................... 216
Jonathan Zuck, President, Association for Competitive Technology. 121
Prepared statement........................................... 123
Answers to submitted questions............................... 246
Pam Horan, President, Online Publishers Association.............. 137
Prepared statement........................................... 139
Answers to submitted questions............................... 252
Michael Zaneis, Senior Vice President and General Counsel,
Interactive Advertising Bureau................................. 146
Prepared statement........................................... 148
Answers to submitted questions............................... 256
Justin Brookman, Director, Consumer Privacy, Center for Democracy
& Technology................................................... 162
Prepared statement........................................... 164
Answers to submitted questions............................... 261
Submitted Material
Statement, dated March 29, 2011 [sic], of the Consumer
Electronics Association, submitted by Mrs. Blackburn........... 65
Statement, dated March 26, 2012, of Commissioner J. Thomas Rosch,
Federal Trade Commission, submitted by Mrs. Bono Mack.......... 187
White House report, ``Consumer Data Privacy in a Networked World:
A Framework for Protecting Privacy and Promoting Innovation in
the Global Digital Economy,'' dated February 2012, submited by
Mr. Butterfield \1\............................................
Federal Trade Commission report, ``Protecting Consumer Privacy in
an Era of Rapid Change: Recommendations for Businesses and
Policymakers,'' dated March 2012, submitted by Mr. Butterfield
\2\............................................................
----------
\1\ The report is available at http://www.whitehouse.gov/sites/
default/files/privacy-final.pdf.
\2\ The report is available at http://www.ftc.gov/os/2012/03/
120326privacyreport.pdf.
BALANCING PRIVACY AND INNOVATION: DOES THE PRESIDENT'S PROPOSAL TIP THE
SCALE?
----------
THURSDAY, MARCH 29, 2012
House of Representatives,
Subcommittee on Commerce, Manufacturing, and Trade,
Committee on Energy and Commerce,
Washington, DC.
The subcommittee met, pursuant to call, at 9:05 a.m., in
room 2123, Rayburn House Office Building, Hon. Mary Bono Mack
(chairman of the subcommittee) presiding.
Members present: Representatives Bono Mack, Blackburn,
Stearns, Harper, Lance, Cassidy, Guthrie, Olson, Pompeo,
Kinzinger, Barton, Upton (ex officio), Butterfield, Gonzalez,
Sarbanes, Waxman (ex officio), and Markey.
Staff present: Paige Anderson, Commerce, Manufacturing, and
Trade Coordinator; Charlotte Baker, Press Secretary; Michael
Beckerman, Deputy Staff Director; Andy Duberstein, Deputy Press
Secretary; Kirby Howard, Legislative Clerk; Brian McCullough,
Senior Professional Staff Member, Commerce, Manufacturing, and
Trade; Gib Mullan, Chief Counsel, Commerce, Manufacturing, and
Trade; Shannon Weinberg, Counsel, Commerce, Manufacturing, and
Trade; Michelle Ash, Democratic Chief Counsel, Commerce,
Manufacturing, and Trade; Felipe Mendoza, Democratic Senior
Counsel; and Will Wallace, Democratic Policy Analyst.
Mrs. Bono Mack. The subcommittee will now come to order.
Good morning. Let me begin by saying thank you and welcome
to our distinguished guests, FTC Chairman John Leibowitz and
Assistant Commerce Secretary Lawrence Strickling.
I really enjoyed spending time with you recently at the
White House, and I hope you both feel the same way about me
after your getting grilled today. But seriously, though, you
have been great to work with, and at the end of the day, we all
want the same thing, to better safeguard consumer privacy. And
the chair now recognizes herself for an opening statement.
OPENING STATEMENT OF HON. MARY BONO MACK, A REPRESENTATIVE IN
CONGRESS FROM THE STATE OF CALIFORNIA
Today, as we continue our yearlong series of hearings into
online privacy, we are rapidly reaching the point where the
rubber hits the road. When it comes to the Internet, how do we,
as Congress, as the administration and as Americans, balance
the need to remain innovative with the need to protect privacy?
And how hard of a shove would it take to tip that critically
important balance in a way that hurts the U.S. economy,
American consumers, or both?
Clearly, the explosive growth of technology has made it
possible to collect information about consumers in increasingly
sophisticated ways. Sometimes the collection and use of this
information is extremely beneficial, but other times, it is
not. After six privacy hearings, we have covered a lot of
ground, and we have learned a lot about consumer concerns.
But today, I am still not certain legislation is necessary.
I am still sceptical of the motives of both industry and
government, and still leery that advancements like Do Not Track
and eraser-button technology will work as intended.
Frankly, despite the recent highly publicized privacy
initiatives undertaken by several companies, I don't believe
industry is doing enough on its own to protect American
consumers, while the government, as we all know, has this
really bad habit of overreaching when it comes to new
regulations. And the prospect of that hearing again looms very
large in this debate, which brings us to today's hearing.
At first blush, how can anyone oppose the administration's
seven privacy principles, such as individual control,
transparency and accountability? It is simply Mom and apple
pie.
I want to applaud Chairman Leibowitz and Secretary
Strickling for your tireless efforts and commitment to this
issue; you have done a great job. The privacy framework that
you have put forward reflects a lot of time, effort, and
careful thought when it comes to the question facing us today:
How do we better protect privacy in the future?
I really look forward to discussing this important issue
with you.
But given Washington's addiction to regulation, I am very
concerned that the White House's privacy bill of rights could
morph one day into another big government's rules of the road,
complete with red-light cameras, speed traps and traffic cops
trying to meet ever-increasing quotas. Talk about stopping the
Internet dead in its tracks.
This all reminds me of Joseph Heller's great satirical
World War II novel ``Catch-22,'' which is based on the premise
of a bureaucratic, no-win situation or a double bind. Today we
could be facing a similar paradox if we are not very, very
careful about how we proceed.
In Heller's book, the main character, an Air Force B-25
bombardier flying over the Mediterranean Sea, blurts out at one
point, ``The enemy is anybody who is going to get you killed,
no matter what side he is on.'' Sound familiar? I bet it does
to consumers. Today we might be facing a similar sort of
circular logic, our very own Catch-22.
Some people say we must regulate the Internet to protect
privacy. Others say if we go too far to protect privacy, we
could her the Internet. Or is there a middle ground, a sweet
spot between too much regulation and no regulation at all? I
believe finding that sweet spot is a challenge we are facing
today.
Clearly, we are making progress on the privacy front. Yet
on the other hand, our rapid technological advance is simply
creating a new, different and more complex set of problems. And
how capable are regulators of keeping abreast of these changes
without always winding up a day late and a dollar short?
Too much is at stake for to us get this wrong. That is why
I have advocated since the beginning of these hearings that we
need to move forward with an abundance of caution. And to me,
the reason is crystal clear: Even though it serves billions of
users worldwide, and e-commerce last year in the U.S topped
$200 billion for the first time, the Internet pretty much
remains a work in progress.
Still, in just 25 years, the Internet has already spurred
transformative innovation. It has incalculable value. It has
become part of our daily lives, and it has unlimited potential
to effect positive social and political change, as the world
dramatically witnessed during the Arab Spring.
So, before we do any possible harm to the Internet, we need
to understand what harm is actually being done to consumers,
and where is the public outcry for legislation? Today I am
simply not hearing it. I haven't gotten a single letter from
anyone back home urging me to pass a privacy bill. They want
data protection, but no one is beating down my door about the
broader privacy issues. That may change, and it probably will
if industry doesn't come up with better safeguards for
consumers in the future. But right now, we should resist the
urge to rush to judgment because we feel a compelling need to
do something, even if we are not exactly sure what that should
be.
And now I recognize the ranking member of our subcommittee,
Mr. Butterfield of North Carolina, for his opening.
[The prepared statement of Mrs. Bono Mack follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
OPENING STATEMENT OF HON. G.K. BUTTERFIELD, A REPRESENTATIVE IN
CONGRESS FROM THE STATE OF NORTH CAROLINA
Mr. Butterfield. I thank the chairman.
Also thank the witnesses for coming forward today with your
testimonies. We are going to try to get right through this and
get right to your testimony and hopefully have some good
questions and answers will follow.
Let me begin by thanking the Department of Commerce and FTC
for their initiatives to address the serious issue of consumer
privacy. These two documents sketch out, with varying degrees
of specificity, steps that should be taken to protect
consumers' privacy. The White House privacy report suggests
starting with the implementation of high level principles
contained in its consumer privacy bill of rights. The report
recommends that industry implement the consumer privacy bill of
rights through voluntarily adopted business codes of conduct.
I commend those in industry that are supporting this
effort. Consumers and industry must engage each other for this
process to work. The White House privacy report also recognizes
that there must be a backstop, and it must be a baseline, that
consumers need bottom-line privacy protections spelled out in
Federal law. I, therefore, support the administration and
strongly believe that in order to provide companies and
consumers with legal certainty, we need to enact a
comprehensive, flexible and balanced Federal consumer privacy
law.
The FTC report that was released earlier this week starts
from a more concrete and substantive place, suggesting best
practices for industry that it believes will result in better
privacy protection for consumers. I want to be clear, these
recommendations are not law; they are not even regulations.
They are not legally binding on anyone. And they aren't legally
enforceable by anyone. Nonetheless, these were carefully
considered recommendations. And to the extent they can, I hope
companies will make the FTC's recommendations part of their
everyday business practices.
It makes good business sense for companies to keep privacy
at the forefront as they develop new products and services. It
is also good business practice to incorporate data security
from the beginning and throughout the development process. And
consumers have more confidence in those businesses that are
transparent about their data collection practices.
The FTC, like the White House, is also now calling on us
here in Congress to pass consumer privacy legislation.
Madam Chair, I agree that we must take of privacy
legislation now. The White House has called on Congress to act.
The FTC has called on Congress to act, and many members of the
subcommittee believe that we must act now.
I feel strongly a national baseline privacy law is the best
way to ensure consumers have basic common sense and permanent
rights over the collection and use of their information. To
that end, I believe any privacy legislation should contain at
least the minimum requirements, ensure Americans have context-
appropriate access to their information; number two,
transparency with regard to who is collecting their data;
three, affirmative consent prior to personal data being shared
with a third party; and number four, that personal data be
protected through reasonable security safeguards.
I would like to thank the witnesses for being here today.
Madam Chair, I would like to reiterate that I stand ready to
work with you on a commonsense privacy piece of legislation
that will ensure the greatest protection for consumers.
Thank you, and I yield back.
Mrs. Bono Mack. Thank you, Mr. Butterfield.
And the chair now recognizes Mr. Upton for 5 minutes for
his opening statement.
Mr. Upton. Well, good morning, Madam Chair.
Mrs. Bono Mack. Good morning.
OPENING STATEMENT OF HON. FRED UPTON, A REPRESENTATIVE IN
CONGRESS FROM THE STATE OF MICHIGAN
Mr. Upton. I would like to welcome back Chairman Leibowitz
and Assistant Secretary Strickling as well as the distinguished
witnesses that we will hear from on the second panel.
Privacy is not a new topic for Congress. Through the
decades, we have passed statutes protecting electronic
communications, financial information, health information,
credit information, movie and book rental information and
information gathered about children. But the lightening fast
development of Internet and mobile technology presents issues
that were not anticipated even 5 years ago.
Smartphones, tablets, connected entertaining devices and
all of the aps are today's modern marble, but who knows what
will replace them in about another 5 years.
I am highly skeptical of Congress' or government
regulators' ability to keep up with the innovative and vibrant
pace of the Internet without breaking it. Consumers and the
economy as a whole will not be well served by government
attempts to wrap the Web in red tape. And we cannot ignore that
Internet companies have a strong incentive to protect their
users; it is called consumer choice. Today's online consumers
are savvy customers who will not be loyal to a company that
puts their personal information at risk. The next big thing is
just around the virtual corner.
The development and success of the Internet economy in the
U.S. Is due in large part to the freedom that our entrepreneurs
have to dream and build. The world's leading Internet companies
and innovators have created a vibrant sector of the economy
that continues to expand, adding lots of jobs for
multinationals and small businesses alike.
According to a recent study by Boston Consulting Group, the
Internet sector accounted for a 4.7 percent of our GDP in 2010,
$684 billion, and it is growing faster in that the rest of the
economy that is for sure.
Apple released a study earlier this month estimating that
it alone created or supported 514,000 jobs in the U.S. from
engineers, to manufacturing, to sales clerks.
At its heart, the Internet is a tool that promotes
information exchanges, whether for conducting consumers,
entertainment, education or social interaction. And many of the
benefits and attractions of the Internet are a product of its
capacity to provide customized services to individuals, but
that often requires exchanging, identifying personal
information.
How that information is treated, who has access to it, and
the degree of consumer control are important questions that
need to be answered. Whether the President's plan that we are
discussing today can be successful in developing consensus
codes of conduct that protect privacy is an open question and
perhaps the most important aspect on which the administration's
framework success or failure hinges.
The administration recognizes that industry developed
standards have proved successful in addressing technical
standards for the Internet as well as in other areas of
commerce. I am most interested to hear how those examples will
serve as a template for the multi-stakeholder process that the
NTIA will convene to move this process forward.
And I would yield to either Mr. Olson or Mr. Kinzinger if
they have any additional comments.
[The prepared statement of Mr. Upton follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Mrs. Bono Mack. If the gentleman would yield to Ms.
Blackburn.
Mr. Upton. I am sorry. I yield back the balance of my time.
OPENING STATEMENT OF HON. MARSHA BLACKBURN, A REPRESENTATIVE IN
CONGRESS FROM THE STATE OF TENNESSEE
Mrs. Blackburn. Thank you, Mr. Chairman.
And I want to welcome our witnesses.
Just a couple of quick thoughts. The administration has
basically put forward two different privacy frameworks, but
each of these reports would encompass a massive expansion of
government. And in my opinion, it would put some limits on our
individual liberties.
We have to remember we live in a data-driven information
age. And what happens when you follow the European privacy
model and take information out of the information economy?
Those are the questions that we are going to be asking because
I think it is a pretty simple answer, and you can look at
Europe and see, revenues fall, innovation stalls, and you lose
out to innovators who chose to work elsewhere.
So we are concerned about technology mandates, concerned
about a Do Not Track system and if that would lead to
disincentives in the system. We are also seeing some larger
companies embrace privacy regulation as a weapon to stifle
competition and grow monopoly power; that is of concern. So
let's better define the contours of the debate that is in front
of us.
As I continue to say, please, identify the harm and then
let's talk about what needs to be done to address that specific
harm.
I thank the chairman for the hearing today.
I thank the witnesses.
And I yield back.
Mrs. Bono Mack. Thank you, Ms. Blackburn.
And I would like to thank you for chairing the hearing last
week while I was away. I heard you did a fantastic job. I hope
you found this chair comfortable but not too comfortable.
At this point, we will turn our attention to the panel. We
have two panels of witnesses joining us today. Each of our
witnesses has prepared an opening statement that will be placed
into the record. Each of you will have 5 minutes to summarize
that statement in your remarks.
On our first panel, we have the Honorable Lawrence
Strickling, Assistant Secretary for Communication and
Information at the U.S. Department of Commerce. And we also
have the Honorable John Leibowitz, Chairman of the Federal
Trade Commission.
Good morning, gentlemen.
Thank you again for coming. You will each be recognized for
the 5 minutes and the timers--I think you know the drill. The
timers are in front of you. When the light turns yellow, you
will have 1 minute left to begin wrapping up your remarks.
And please, just make sure the microphone is close to your
mouth as you begin, and there is an on button. It is important
that the audience at home can hear you as well.
So, with that, we are happy to recognize you, Mr.
Strickling, for 5 minutes.
STATEMENTS OF LAWRENCE E. STRICKLING, ASSISTANT SECRETARY FOR
COMMUNICATION AND INFORMATION, DEPARTMENT OF COMMERCE; AND JON
LEIBOWITZ, CHAIRMAN, FEDERAL TRADE COMMISSION
STATEMENT OF LAWRENCE E. STRICKLING
Mr. Strickling. Thank you, Chairman Bono Mack, and Ranking
Member Butterfield and Vice Chair Blackburn.
I am pleased to be here to testify on the administration's
consumer privacy framework, and I am especially pleased to be
here with my colleague Chairman Leibowitz, who has provided
such strong and decisive leadership at the Federal Trade
Commission to protect consumers and promote economic growth.
The question for today's hearing is whether the
administration's framework for protecting privacy and promoting
innovation tips the scale that balances privacy and innovation.
My response is an emphatic no. The administration's proposals
strikes the right balance to preserve the flexibility
businesses need to innovate while addressing the broad array of
privacy harms that consumers face in our network world.
Certainly, we all know that the misuse of personal data can
cause financial harm. Personal data lost through security
breaches can lead to identity theft and financial fraud. And
the financial costs of these incidents are quite apparent. But
it is equally apparent that consumers suffer harms that are
more difficult to quantify. They can suffer severe
embarrassment from having their names or online identities
associated with certain Web sites. They have been surprised and
shocked to find that information about them spreads rapidly
from one place to another on the Internet. It is no wonder that
consumers express concern about how companies handle personal
data, and they tend to avoid those that fail to meet their
expectations.
This state of affairs does not serve consumers well, but
just as importantly, it does not serve our businesses either.
If consumers no longer trusted their information will be
protected on the Internet, we risk undermining the growth and
innovation that has characterized the Internet economy. And
accordingly, in developing the administration's policy, we felt
that adequately protecting consumer privacy needed to be done
in a way that also protected innovation so that the result
would be a win-win for consumers and for businesses.
The blueprint includes four key measures. First is the
Consumer Privacy Bill of Rights, these rights general
statements of basic and globally recognized privacy principles.
We carefully avoided making these principles read like
regulations intended to cover every possible contingency that
might arise because we knew that doing so would threaten the
flexibility businesses need to have to innovate on the
Internet.
The Consumer Privacy Bill of Rights recognizes that
businesses need to collect personal data simply to do business.
And it also recognizes that much of this data collection occurs
within the context of a direct relationship between consumers
and companies. On the whole, the Consumer Privacy Bill of
Rights provides a baseline to protect consumers from the wide
range of privacy harms that arise in our networked economy. The
administration believes this basic set of principles should be
enacted into law, and we are eager to work with the committee
to that end.
From there, we had a choice; we could have as so much
legislation does propose that a regulatory agency engage in
lengthy rulemaking proceedings to provide more detail and
definition for these basic principles. We did not do so.
Our second key aspect of our blueprint is that we looked to
the private sector, businesses and consumer advocates working
together to take the lead on implementation by developing
legally enforceable codes of conduct that apply the Privacy
Bill of Rights to specific business settings.
My agency NTIA will convene the various stakeholders and
facilitate their discussions, but we will not substitute our
judgement for the consensus reached by stakeholders. And since
I am not a regulator, we will not impose these codes on
businesses but will leave it to companies to decide on their
own whether to adopt a particular code, developed through this
multi-stakeholder process.
Once a company adopts a code, we believe it will be
enforceable by the Federal Trade Commission under its authority
to protect consumers from unfair and deceptive trade practices,
just as it does today with privacy policies adopted by
companies. And this strong enforcement of company commitments
to protect privacy is the third key piece of the
administration's policy.
Fourth and finally, the United States has a unique
opportunity to be a leading voice in global discussions of
consumer privacy. Our efforts in this regard will provide
American businesses with a stronger position by which to expand
globally with our trading partners by providing better
interoperability between privacy regimes around the world.
We are actively engaging our international partners to
promote these principles and to make it easier for American
businesses to succeed in the global marketplace. I want to
thank you again for your time and for holding today's hearing,
and I look forward to answering your questions.
[The prepared statement of Mr. Strickling follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Mrs. Bono Mack. Thank you very much, Mr. Strickling.
Mr. Leibowitz, you are recognized for 5 minutes.
STATEMENT OF JON LEIBOWITZ
Mr. Leibowitz. Thank you, Chairman Bono Mack, Ranking
Member Butterfield, Chairman Upton, Vice Chair Blackburn, Mr.
Gonzalez, Mr. Kinzinger, and Mr. Olson for the opportunity to
comment the commission's testimony on consumer privacy.
I am particularly pleased to be along side Larry Strickling
of Department of Commerce, who has done a terrific job. And we
at the commission look forward to working with him and the
department on privacy codes of conduct as well as with this
committee on a variety of privacy issues.
This is a decisive moment for consumer privacy. The
collection of personal data has lead to great benefits for
consumers. We all want and need these benefits to continue but
not at the expense of individual privacy. So after careful
consideration, earlier this week, the Federal Trade Commission,
the Nation's privacy protection agency, released a report that
lays out what we in the public and private sectors must do to
make sure that the right to privacy for all Americans remains
robust.
The answer is simple: Consumers should have control of
their personal data. And to ensure that control, our report
lays out three powerful principles for companies to follow:
First, incorporate privacy protections into products as you are
developing them, that is the privacy by design; second, offer
consumers choice about how their data is collected and used;
and third, provide more transparency, that is better
explanations to consumers about how information is handled.
The best companies are already following these principles,
but baseline privacy legislation, if we can hit what you,
Chairman Bono Mack, called the sweet spot would help them with
clear rules of the road and ensure that the best privacy
practices don't put companies at a competitive disadvantage.
Let me highlight perhaps one the most important
recommendations we make in the report, that all stakeholders
should continue to push forward to complete a Do Not Track
system. Do Not Track is a one-stop mechanism that lets
consumers control whether their online activities are tracked
across Web sites. It is not run by the government but by
companies themselves. It is voluntary. An effective Do Not
Track system would going beyond merely allowing consumers to
opt out of receiving targeted ads. It would allow them to opt
out of third-party collection of behavioral data, other than
data gathered for operational purposes, like preventing click
fraud.
Because your computer is your property, no one should have
the right to put anything in it that you don't want. And going
back to Ms. Blackburn's point, that is a very conservative
notion.
I am optimistic that companies can get Do Not Track done by
the end of the year. To their enormous credit, since we issued
our call for Do Not Track in 2010, online advertisers, major
browser companies and the World Wide Web Consortium, an
Internet standards-setting group have all made strides towards
putting in place the foundation or Do Not Track system. Why?
Because really, going back to the point that Chairman Upton
made, they recognize that Do Not Track will help build consumer
confidence in the Internet, and that in turn will spur greater
Internet commerce.
We also will continue working with them to implement fully
a system in which all consumers can easily and effectively
choose not to be tracked in cyberspace.
Our final privacy report also recommends that data brokers,
who often hold a wealth of information about consumers but
remain invisible to them, improve transparency. We renew our
call for targeted legislation giving consumers reasonable
access to consumer data that these brokers maintain; that is,
access that is proportionate to the sensitivity of the data and
its intended use.
In addition, we will be holding workshops in 2012, to
explore two other issues, mobile privacy disclosures or dot-com
disclosures and data platforms like social media, ISPs and
operating systems.
Now while policy is an important component of our work,
enforcement remains the commission's priority. We are not, as
you know, a regulatory agency. The commission has brought more
than 100 spam and spyware cases; 80 cases against those
violating the Do Not Call rule; more than 30 data security
cases; and 18 cases involving the children's online privacy
protection act. As you know, we are in the process of updating
the COPPA rules to account for changes in technology.
We have also obtained orders against numerous companies
from making deceptive claims about privacy protections,
including the recently highly publicized privacy cases against
Google and Facebook, which, combined, protect the privacy of
more than 1 billion users worldwide.
Just this week, we announced a settlement with RockYou,
which is a popular social media gaming company. The FTC charged
that the company failed to use adequate security measures to
protect consumers private data. As a result, hackers gained
access to personal information of more than 32 million
customers. The commission also charged RockYou with collecting
personal information from children it knew to be under 13
without parental consent; that is a COPPA violation. Under the
commission's settlement, RockYou must implement a data security
program, undergo audits every other year, and pay a $250,000
civil penalty.
Finally, the commission promotes privacy and data security
through consumer and business education. For example, we
sponsor Onguard Online, a Web site that educates consumers
about basic computer security. Since its launch in 2005,
Onguard Online and its Spanish language counterpart, Alerta en
Linea, have had more than 25 million visitors.
Chairman, thank you for inviting me here today. We look
forward to continuing to work with Congress, the administration
industry and other stakeholders on privacy issues in the
future, and I am happy to answer questions.
[The prepared statement of Mr. Leibowitz follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Mrs. Bono Mack. Thank you very much for your testimony,
gentlemen.
I would like to begin with recognizing myself for 5 minutes
for questions, and I will start with you, Mr. Strickling. Who
will be the final arbiter in the stakeholder process? And will
the NTIA merely chair the discussions, or will it have a more
substantial role?
Mr. Strickling. Our role is to facilitate the discussions
and to serve as a convener. The outcome will be determined
entirely by the participants in the process. It will be up to
them to decide if and when they have reached consensus around a
code to complete their work. We will not substitute our
judgment for what they are doing. Other role will simply be to
keep the parties talking and help guide them through the
process to reaching a conclusion that they themselves will
reach.
Mrs. Bono Mack. Do you have an idea how long this multi-
stakeholder process should take or is going to take?
Mr. Strickling. Well, it is an ongoing process. We don't
see this as just one set of discussions to create one code. In
fact, starting out, we intentionally are going to try to choose
a fairly discrete topic, perhaps one of our seven principles
and perhaps one slice of industry, not because we are singling
out any industry, but because we feel starting this process, we
need to start with a discrete topic and a limited number of
participants as we work through the process of having folks
work together and reaching consensus. So we envision the
potential that multiple codes will be created out of the
process. It largely will be driven by the interests of industry
responding to these concerns as they arise.
We will have the facility in place to help facilitate and
convene these discussions, but we won't be dictating the number
of codes or how frequently people meet or the rest of it. That
is really up to the participants.
Mrs. Bono Mack. The blueprint recognizes that targeted ads
are generally more valuable and the revenue derived therefrom
supports an array of services and content as well as funds
research and innovation. However, the blueprint calls on
companies to, quote, provide consumers with meaningful
opportunities to prevent disclosures to third parties. How do
you foresee the balance between funding free services and the
ability to innovate if consumers can prevent disclosure of
information and thereby cutting off the critical stream of
revenue?
Mr. Strickling. Well, let me go back to what I said before;
I am not the regulator, and I am not the party that is going to
make these judgments. What we want to do is run a process that
will allow all interested stakeholders to carry out the
discussions around questions just like the one you have just
asked and try to reach a consensus view as to how best to
approach it.
Again, to the extent that we at NTIA dictate what that
outcome should be, that would put us in the role of tipping the
balance that we are trying to achieve here as we allow industry
and consumer groups to work on these issues together.
Mrs. Bono Mack. Thank you.
Mr. Leibowitz, what role did the commission play in the
development of the administration's blueprint? Did you make any
of the recommendations that are included in the commission's
report? And if so, why and why not?
Mr. Leibowitz. I couldn't quite hear the last part of the
question. Do we support the recommendations?
Mrs. Bono Mack. Did you make any of the recommendations?
How involved in the process of formulating the blueprint were
you?
Mr. Leibowitz. So, working on your questions, from the last
to first, we were involved in consulting with the Department of
Commerce. We are very supportive of their approach. We will be
involved, I believe, as sort of one of the ex officio
stakeholders. And should codes of conduct be embraced by
industry or accepted by industry, we will use the FTC act as a
backstop for enforcing them. But, again, these codes of conduct
are voluntary. And we are looking to forward to working with
the Commerce Department.
Mrs. Bono Mack. Everybody is concerned about the unintended
consequences. This question sort of falls on that. Are you
concerned that some benefits of large anonymous data sets may
be lost if many people sign up for Do Not Track? For example,
predictions of flu patterns and epidemics by sharpened by
recording information about searches relating to flu or other
infectious diseases. If lots of people opt for no tracking,
could these benefits be lost or at least undercut?
Mr. Leibowitz. You know, I don't think so, Madam Chairman.
You know, one of the great things about this Do Not Track
initiative is that the most supportive entities of it have been
the business community. I think companies, you know, want
more--I think the best companies and I think 90 percent of all
companies involved in behavioral advertising or 90 percent of
the advertising are supportive of the Digital Advertising
Alliance, which is the business community's attempt to come up
with a Do Not Track initiative. They have made great strides,
and I don't believe that there will be any sort of
informational harms to consumers. You will still be able to
advertise to consumers, but consumers will have the right to
opt out. Again, we think that is a deeply conservative right.
It is a right to say no to people putting things in your
computer.
Mrs. Bono Mack. Thank you.
My time has expired.
I recognize Mr. Butterfield for 5 minutes.
Mr. Butterfield. Thank you, Madam Chairman.
Before getting started, I am just told by my staff that
Congressman Sarbanes from Maryland has been re-appointed to the
committee.
Is that right, John?
Welcome back, thank you. Very much we look forward to your
work.
All right. In its privacy report, the administration
advances the framework that ideally includes the development
and implementation of industry codes of conduct in parallel
with Congress passing baseline privacy legislation. To the
extent that the FTC intends to participate in the development
of these codes of conduct and has also endorsed the idea of
Congress passing baseline legislation, it also seems to endorse
the idea that these things should happen in parallel or
concurrently.
However, some are already arguing that these two pieces
should be delinked from each other. That is the development and
implementation of codes of conduct should completely play out
before Congress takes any action on baseline privacy
legislation. For example, one of today's witnesses argues, ``If
Congress is ever to grant the FTC new authority in this area,
it should at least wait to learn from the self-regulatory
process. Congress should assess the failure or success of the
overall self regulatory scheme.''
Let me ask both of you, I assume that you both disagree
with the view that one should come after the other; instead,
you agree that Congress should act sooner rather than later on
comprehensive baseline privacy legislation. Can you please
discuss why, ideally, development of codes of conduct should be
accompanied by passage of a privacy law?
Mr. Strickling. So we absolutely support the passage of
legislation to codify the baseline, the principles. Again, we
don't envision this as being a complicated piece of
legislation. We have given our--as we thought about it, we
think 10- to 15-page bill ought to be adequate to capture what
it is we are looking to do.
We do think and intend to proceed to work with industry and
civil society on these voluntary codes of conduct, even as the
legislative process continues. But clearly, I think industry
would find greater certainty in the overall regime if
legislation were passed as part of this process. But we will
work with industry; we will work with civil society to develop
these codes as we move forward.
Mr. Leibowitz. I would say, too, you have to hit the sweet
spot with legislation. And we are very supportive of what the
Commerce Department is trying to accomplish. But what you get,
I think, with legislation is greater certainty for businesses,
and you tend to avoid the uneven playing field in which the
best companies are willing to give very good privacy practices,
but they feel like they are at a competitive disadvantage. So
the answer is, yes, we are very supportive of moving forward on
legislation.
Mr. Butterfield. Thank you.
Earlier this year, Google announced that it was
consolidating most of its privacy policies for its various
services into one plain English privacy policy. Google also
made clear that it had long been sharing information across its
services and had disclosed this and that it was now expanding
the practice to include platform-wide cross-sharing of
information obtain through its search and video services.
Regardless of what Google did was right or wrong and regardless
of how it told the public, there are some, including myself,
who believe that the way in which Google openly and repeatedly
told its customers its plan was the right way to do it.
For me, the key take away here seems to have been missed;
that is that Google and any other company like it is mostly
bound only by its own public promises to its customers. There
is no baseline legal standard for what these companies can and
cannot do. In this country, consumers' privacy rights are for
the most part limited to what any one company chooses to grant
its customers.
Chairman and Administrator, both the FTC and the
administration are now calling for baseline legislation. Can
you please speak to this in the 45 seconds we have?
Mr. Leibowitz. Very quickly we are supportive of baseline
legislation. It can clarify rules of the road going forward. We
can bring actions ex post, after the fact, as we did against
Google for what we believe to be a breach of its privacy
promise to keep information private. They then made it public
as part of their first attempt to start up a social network;
that was Google Buzz. But yes, I think there are advantages to
having clear rules of the road in advance. We can't mandate
privacy policies, for example.
Mr. Butterfield. Thank you.
I yield back.
Mrs. Bono Mack. Thank you, Mr. Butterfield.
The chair recognizes Ms. Blackburn for 5 minutes.
Mrs. Blackburn. Thank you, Madam Chairman.
First, I would like to enter a statement from a Consumer
Electronics Association for the record.
[The information follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Mrs. Bono Mack. Without objection.
Mrs. Blackburn. Thank you.
Mr. Leibowitz, I want to talk with you about Commissioner
Rosch's dissent from the FTC report. I am going to quote from
that. He said, privacy may be used as a weapon by firms having
monopoly or near monopoly power, and also large enterprises in
highly concentrated industries may be tempted to raise the
privacy bar so high that it will disadvantage rivals.
So my question to you is, are you concerned about the
bigger players in this space using privacy to try to wedge out
their competition?
Mr. Leibowitz. Well, I have great respect for Commissioner
Rosch. He agreed with some of our recommendations; for example,
the legislation involving data brokers. He didn't agree with
others. You know, on the antitrust side of what we do, we are
always concerned about the larger players squeezing out new
invasion, but our experience with self regulation--and again,
our report best practices for companies; it is not regulatory,
it is not--it doesn't impose obligations.
Mrs. Blackburn. Best practices, no rules, no force of law.
Mr. Leibowitz. No rules, no, force of law. That is exactly
right. And our experience with the advertising industry CARU,
which has a self-regulatory mechanism that actually ensures in
a lot of causes don't come to the FTC, has been that we haven't
had that problem. But of course, we will keep an eye on it.
Mrs. Blackburn. All right.
Mr. Strickling, any comment on the that?
Mr. Strickling. Well, with respect to the--I am sorry,
could you repeat the question?
Mrs. Blackburn. That is OK. Let's go ahead and move on
because time is tight, and we are going to go have votes in a
little bit.
Also Mr. Rosch said in his report, if implemented as
written, many of the report's recommendations would instead
apply to almost all firms and to most information collection
practices. It would result--it would install Big Brother as the
watchdog over these practices, not only in the online world but
in the offline world. This is not only paternalistic, but it
goes well beyond what Congress permitted the commission to do
under Section 5(n).
Now the reason this is of concern to me and as we discuss
privacy, in Tennessee, we not only have a lot of your
entertainment platforms; we also have health care informatics,
defense informatics. So we have your financial service sector
that is very involved there. And we have got a lot of
innovators that are trying to wedge into this space. So how do
you respond to that portion of his critique?
Mr. Leibowitz. I would say Commissioner Rosch is not only a
brilliant litigator, but he has a very good turn of a phrase
from time to time. But again, this is voluntary guidance; it is
best practices for companies and really thoughts for lawmakers
if you move forward with the privacy legislation. And so while
I have great respect for him, I disagree; I don't think it is
in any way going to undermine innovation. If it did, we
wouldn't be releasing this report.
Mrs. Blackburn. Thank you.
Let me ask you one more thing in the minute that is left.
Your opening, you referred to Do Not Track as a conservative
proposition.
Mr. Leibowitz. I do.
Mrs. Blackburn. I would take issue with you on that, and we
will drink a cup of coffee and have a robust discussion one
day. When you talk about Do Not Track, why don't you ever talk
about it in terms of the Federal Government not tracking,
instead of just telling businesses how to operate?
Mr. Leibowitz. Because we don't support a Federal
Government-run Do Not Track option. We support the private
sector voluntarily coming together as they have, under the
Digital Advertising Alliance, to come up with its own Do Not
Track proposal and we think--they think it is the right thing
to do I believe, you will have----
Mrs. Blackburn. In your opinion, then, how would the Do Not
Track work? Would it be opt in for everything every time you
log on to the computer?
Mr. Leibowitz. That is a good question. So it would be opt
out, so it is very modest in that sense, and it would only
apply to third-party tracking. So when you have a direct
interface with a company, Amazon, Netflicks, whatever, then
there is a bargain--consumers understand they are going be
tracked. When you go on a different--when you are on that site
and someone else is trying to put a cookie in your computer,
you would have the right to opt out. It is pretty modest, and
our sense, based on some work that TRUSTe, which a privacy
company based in San Francisco, has done is that the opt out
numbers would actually be kind of small. But at least it is a
choice and a right not to put property on your computer. And
your computer is your property. So we will have that cup of
coffee.
Mrs. Blackburn. Sounds like a winner.
I yield back.
Mrs. Bono Mack. Thank you.
The chair now recognizes Mr. Gonzalez for 5 minutes.
Mr. Gonzalez. Thank you very much, Madam Chair.
Welcome to the witnesses.
I guess I share some of the concerns of my colleagues but
maybe not to the degree or the extent. I don't see that this
Congress or any previous Congress has ever been paralyzed by
changing technology. We don't worship at any particular altar
of technology and sacrifice generally accepted principles that
have been part of our law and which our citizens expect, and
one is the right to privacy. We can adapt our laws as
technologies changes. It seems we are just so fearful that
somehow we can't because this technology is different; it is
moving quickly.
Let me read to you something, this is way back December
12th, 2010, New York Times, an article by Natasha Singer. And
she is citing from a Harvard Law Review: Solitude and privacy
have become more essential to the individual, but modern
enterprise and invention have, through invasions upon his
privacy, subjected him to mental pain and distress.
The privacy experts wrote this in the Harvard Law Review,
and I will give you the date in a minute, going on citing the
article: In this, as in other branches of commerce, supply
creates demand, they added. And that demand, they noted, ends
up broadcasting our private matters in public spheres.
Now the article was written by Samuel D. Warren and Louis
D. Brandeis. It was in the Harvard Review in 1890, and it was
referring to this viral technology of snapshot photography.
We have been able to adapt, haven't we? And we continue to
do it. And the basis for it, and I want to see if you agree
with this, it is the right to privacy. Do both of you agree? I
have learned this from Mr. Dingell, but no one does it like Mr.
Dingell. Just a yes or no. Do you agree that consumers have a
protectable right as to who has access to their information and
how it is used?
Mr. Strickling. We are asking you to enact those principles
in----
Mr. Gonzalez. Yes or no.
Mr. Strickling. Yes.
Mr. Leibowitz. Yes.
Mr. Gonzalez. And that that right is not contingent on any
particular technology or the manner or the means in which it is
accessed or which it is disseminated?
Mr. Strickling. Correct.
Mr. Leibowitz. Correct.
Mr. Gonzalez. Do you also agree that that individual
citizen has a right to opt out of having access to his or her
information and the dissemination of that information?
Mr. Strickling. Again, we are asking that that be a
baseline, that it be enacted in the legislation we are
recommending be passed to Congress.
Mr. Gonzalez. Mr. Chairman.
Mr. Leibowitz. Yes. And Justice Brandeis, as you know, was
one of the architects of the Federal Trade Commission, along
with President Wilson and President Roosevelt. And wrote about
in Olmstead, the right to be let alone, which he called the
most comprehensive of rights and the right most valued by
civilized men in 1928.
Mr. Gonzalez. I don't think anybody on either side of the
aisle really wants to change that basic principle, because you
may not have an outcry at this point, but I assure you it will
be developing if in fact we don't adopt some sort of model out
there for the behavior of the more responsible players in this
particular technological sphere. So that is my concern. And
that is going to be the voluntary nature of what you guys are
proposing.
Now my understanding and my experience at this stage in my
life has been that self regulation of any profession or
business enterprise is contingent on basically mandatory
enrollment, partnership in that particular endeavor. So I can
see that we are going have this code, so everybody that adopts
it, then may be enforceable through the FTC, even though it is
not law, as you are saying, but you are saying we have
authority to enforce. But then you probably have most of
responsible players, and what do you do about everyone else
that is not going to adopt this voluntary code and will not be
subjected to any kind of enforcement procedure?
Mr. Strickling. Well, again, that is one of bases on which
we are asking for legislation, because you are correct; the
vast majority of people who want to do the right thing will
participate in these processes and adopt appropriate privacy
policies, but then you have the question about the folks that
don't do that. And our recommendation is pass the set of
baseline principles, give the Federal Trade Commission the
authority to enforce those against companies that don't adopt
the codes of conduct so that you can deal with the very problem
you are talking about.
Mr. Gonzalez. Mr. Chairman, that is what you say you are
playing out?
Mr. Leibowitz. I agree with Mr. Strickling.
And I was talking yesterday to a very senior executive at a
major technology company, and we were talking about the merits
of Do Not Track. And he was saying to me, his company would
like to do Do Not Collect, and that is where they want to be.
In other words, which is what we say about Do Not Track; you
shouldn't be able to collect information. It shouldn't just be
do not advertise back to consumers, with a few exceptions for
operational purposes and antifraud purposes. And he said one of
the problems we have with this, John, is that we will be at a--
we might be at a competitive disadvantage. What we want is an
even playing field so that the best privacy protections are
across the board. That is the argument for legislation.
Mr. Gonzalez. Thank you.
Thank you, Madam Chair.
Mrs. Bono Mack. I thank the gentleman.
And the chair recognizes Mr. Olson for 5 minutes.
Mr. Olson. I thank the chair and want to welcome the
witnesses for coming here today. Thank you for your time and
your expertise. And I apologize for all the bells and whistles
that will happen pretty soon here. We have some votes coming up
on the floor. Just so you guys know where I am coming from on
these issues as a general position, I don't have a closed mind
about anything, but I don't have an empty mind either. What I
am very concerned about as a general rule, I am very skeptical
about Federal Government interaction in a free market economy.
I mean, we tend to have a one-size-fits-all mentality, and the
private sector has an incentive that no government agency has;
if they don't do what their consumers want, protect their
customer's privacy, guess what, they are using some online
service to get their resume up to date because they have lost
their jobs.
And I just want to talk about, the private sector has made
many tremendous advancements, and I want, Mr. Strickling, your
thoughts on a couple of questions here. Do you think that the
self-regulatory effort on the part of industry in developing
new privacy tools is showing true signs of progress? So are
they moving the ball down the field, so to speak? I ask this
because I am familiar with the Ad Choices icon, and I am sure
you are familiar with that as well. It is a project tool that
gives consumers choices about online behavioral advertising. It
was developed both very quickly and successfully--that the
government can't do--with wide adoption by the industry. Now,
this morning, a major Internet company, Yahoo, has announced
that they will be implementing a global support for a Do Not
Track mechanism that will recognize and implement a user's
request to stop receiving Internet-based ads through a browser-
based signal. Say that 10 times quickly. It seems to me that
these companies are on the right track, so I would like to hear
your thoughts on that as well.
Mr. Strickling. Well, there is no question but that the
self-regulatory efforts up until now have led to a certain
level of protection for consumers for those companies that have
participated in that and have adopted those approaches. But
this problem isn't just a United States problem; it is a global
issue. And our businesses want to do business in Europe; they
want to do business in Asia. And what our overall framework
helps enable is improved interoperability between what we have
in this company versus the regimes in these other parts of the
world, so that our businesses will have an opportunity to
continue to expand and grow outside of the confines of the
United States.
And there we see, particularly from Europe, they are
looking to see how closely our regime fits with what they are
doing. And there, for example, the--if Congress were able to
enact these basic set of principles and legislation, that would
very much help American businesses as they try to operate
throughout Europe. It would help them in other parts of the
world.
So our overall regime certainly would continue what has
worked well up to now in terms of the self regulation from
business but would allow us to take what is working here and
serve as a beacon for countries in other parts of the world
that are still deciding what sort of privacy regime they want
to enact, as well as being interoperable with parts of the
world, like Europe, that have very precise and detailed views
about how they want companies to behave in this sphere.
Mr. Olson. We are all concerned about opening up markets
overseas to our companies. But again, we should do what is
right for America. And if it is right for America, do what is
right for America, and not worry about what Europe does,
because again they are not a good business model, in my
opinion, on many of these issues.
Secretary Leibowitz, can you give your comments on those
questions I asked?
Mr. Leibowitz. Yes. Although I don't think I deserve a
promotion to Secretary, but thank you.
Mr. Olson. It says ``assistant secretary.'' I just chopped
off the ``assistant.'' In the military----
Mr. Leibowitz. You are very indulgent and----
Mr. Olson [continuing]. You don't call a rear admiral
``Rear Admiral,'' you say, ``Admiral,'' so ``Secretary.''
Mr. Leibowitz. Going back to the Ad Choices Network, which
I think is a marvelous example of self regulation moving
forward. They served I think 2 months ago, 900 billion ads with
the Ad Choices icon. I think they are up to a trillion in the
last month I am told. So that is a great example of the Do Not
Track notion moving forward in a self-regulatory way.
They have acknowledged that they have a little more work to
do. They are going to be honoring what is known as the browser
header, and the browser companies like Microsoft, and Mozilla,
and Apple have really been out front in their support for Do
Not Track. And they hope to have that finished by the end of
the year. And I think that would be a great thing for Americans
and for consumers in terms of striking the right balance
between innovation and privacy.
Mr. Olson. One quick yes-or-no question because I am
running out of time. But the President's privacy proposals
calls for multi-stakeholder process to establish voluntary
codes of conduct. If, at the end of this process, the companies
choose not to adopt voluntary codes of conduct, what is your
position? Do you have a plan B?
Mr. Strickling. Well, in the absence of legislation, that
is the end of it. If legislation is passed, we are asking that
the FTC be given the authority to enforce the basic seven
principles that we have laid out, but that would only come if
and when legislation is passed.
Mr. Olson. Thank you.
Yield back.
Mrs. Bono Mack. I thank the gentleman.
And I am happy to welcome to our subcommittee, Mr.
Sarbanes.
Welcome, we are happy to have you, and I recognize you for
5 minutes.
Mr. Sarbanes. Thanks very much, Madam Chair, thank you all.
Chairman Leibowitz, you were talking a minute ago about
someone you were talking with who said they would love to get
to do not collect. Can you explain that a little bit more to
me? And tell me why they would want to get to that?
Mr. Leibowitz. Why we would like to see----
Mr. Sarbanes. Why did that industry player say, I would
like to get to do not collect? What is in his head?
Mr. Leibowitz. Well, what he is thinking is this, he wants
to do the right thing for consumers, his company. He knows also
that as a general matter, the more private--the more
consumers--the more privacy consumers have, the happier they
have, the more trust they have in the Internet, and the more
commerce they do on the Internet. You take a really good
company that wants to do the right thing, and sometimes they
have to compete against companies that don't have such a high
privacy baseline or that actually are sort of bottom feeders. I
mean, that is what we do with our enforcement side of the our
agency, right, is we go after companies that violate and try to
rip off consumers, basically. So what he is thinking and I
believe what many companies are thinking is the right thing to
do is to give consumers the ability to opt out of tracking,
that is Do Not Track. And what he wants to know is that if he
does that or if his company does that, that he will be among
the many. I think we are moving towards a Do Not Track option
for consumers that is easy to use; it is effective, and it is
persistent.
Mr. Sarbanes. Does the industry think that the public is
actually not going to engage in as much sort of commerce or
interaction online with their products and services if there
isn't a Do Not Track opportunity or ultimately say do not
collect, or they will be just in a better mood?
Mr. Leibowitz. Well, I think study after study shows that
consumers are very concerned about privacy and that the more
trust they have in the Internet and in cyberspace, the more
commerce--I don't have the surveys with me, but I will provide
them to you after the hearing.
Mr. Sarbanes. Anecdotally, we are all aware of that
perspective. I think it is absolutely correct.
And I gather, also, what you are saying is industry by and
large supports codifying the kind of principles that have been
articulated here in both reports, right?
Mr. Leibowitz. I can't speak for the Commerce Department,
but I think that is right. I think, on Do Not Track, we have a
sort of somewhat motley coalition, but everyone is pulling
together to get to an endpoint. Maybe let me strike the word
``motley.'' We have an interesting coalition.
Mr. Sarbanes. They are all sitting behind you.
Mr. Leibowitz. I know that.
Mr. Sarbanes. Which one is the mot and which one is the ly?
Mr. Leibowitz. I know and we have great respect for the
people who are doing this. I think at the end of the day, by
the end of year, I am optimistic that there will be no
daylight, and we will have an effective Do Not Track option for
consumers. And it will be done voluntarily by companies, which
is very, very meaningful I think.
Mr. Sarbanes. You say here--you don't say, but the
standards that are articulated in the FTC's report you talk
about, instead of setting forth a list now of commonly accepted
practices for which companies do not need to provide consumers
with choice, the idea is to say that as long as collection and
use practices are consistent with the context of the
interaction, but of course, that judgment is going to get made
by the industry.
Mr. Leibowitz. Sure.
Mr. Sarbanes. So talk about the slope there, does that get
slippery? And how do you sort of periodically go in and
determine whether their idea of what the context of an
interaction is, is the public's idea of the context of an
interaction?
Mr. Leibowitz. That is a great question. So the context of
the interaction, you know, we put out our draft report in 2010.
We got 453 comments, many of them very, very good. Most of them
from business. So we sort of refined our thinking here. And
context of the transaction means this--and again, these are all
best practices. They are not rules. They are not regulations.
But companies shouldn't have to give choice when the consumer
understands that choice is necessary. So if you go to Amazon
and order a book, and they are using someone to deliver that
book other than Amazon or an online retailer, you expect that
Amazon will give your information, your address, your name to
the company that is doing the fulfillment and doing the
delivery. So, in those circumstances, you shouldn't have to
give consumers choice.
In other circumstances, we think the better approach is
choice. And what do we do if companies don't engage in best
practices? Well, if they don't engage in best practices, they
are not liable under the FTC act. They are liable under the FTC
act which prohibits unfair or deceptive acts or practices if
they engage in unfair acts or practices. Again, these are, to
some extent, aspirational for all companies; they are practices
that the best companies engage in already. And then we go after
the bad companies or the companies that sometimes are good
companies but have engaged in unfair or deceptive practices by
saying, you know, we are protecting your privacy information
but ultimately not doing that and making it somewhat public.
Mr. Sarbanes. Thank you.
Mrs. Bono Mack. Thank you. And I would ask the witnesses to
make sure you pull the microphones closer to your mouth. The
people in the back row are having a hard time hearing you.
The chair now recognizes Mr. Kinzinger for 5 minutes.
Mr. Kinzinger. Thank you, Madam Chair.
Thank you, Secretary and Commissioner, for coming in to
talk to us today. Very much appreciated. The committee has
worked diligently over the past year to promote better consumer
protections for consumers.
We want to maintain a marketplace of innovation and give
consumers the tools to protect their personal information. I
will be the first to say that the government needs to put an
end to needless regulations that do little to protect consumers
or protect jobs, but I do have some serious concerns that
without privacy protections, consumers could lose confidence in
the online free market. And in fact, that could be very
counterproductive.
This committee has a very challenging task before it, how
to provide regulation with the necessary flexibility to ensure
government agencies don't stifle growth. I appreciate both of
your efforts in this space and hope that your work is moving in
the right direction.
Mr. Leibowitz, in your testimony you state that to the
extent these best practices won't serve as a template for law
enforcement or regulations under current law. What portion of
the best practices do you believe falls under the current law
or Section 5 authority of the FTC?
Mr. Leibowitz. I don't think any. I would say best
practices would never be in violation of the FTC Act. Even if
you don't reach those best practices, you may still not be in
violation of the FTC Act. It prohibits unfair or deceptive acts
or practices. So we wanted to make it very clear that this
isn't a regulatory document or an enforcement document. We go
after companies when they engage in unfair or deceptive acts or
practices, not when they don't meet the goals of the report.
Mr. Kinzinger. Understood. And do you believe the
commission has the authority to enforce any privacy rules under
Section 5?
Mr. Leibowitz. We do. I mean, we have the authority to go
after companies that engage in unfair or deceptive acts or
practices. We just announced a case today involving a company
that is very well known called RockYou. And RockYou is a
popular social media gaming company. They failed to have--we
believe they failed--we allege they failed to have adequate
security measures. It resulted in personal information of more
than 32 million consumers being captured by hackers;
fortunately, not Social Security numbers, and fortunately, not
credit card numbers. And we investigated them, and we put them
under order this week.
Mr. Kinzinger. Excellent. This is for both of you, and you
can keep it short because I know we have some things upcoming
up here. Do you believe the lack of data security and
notification legislation is a significant threat to consumers?
And is it more of a threat than not passing a privacy framework
in your opinion, sir?
Mr. Strickling. Well, they are both important. And
certainly the administration supports the passage of data
breach legislation to provide a national standard for the
entire country.
Mr. Leibowitz. I think they are both important, and data
broker legislation--again, data broker--we support data
security legislation. We worked with this committee on both
sides of the aisle to try to make that go forward on data
broker legislation. So data brokers are sort of third parties
that collect information, monetize it, sell it. So there is
some value to the economy for it. But there is also no
interaction with consumers. We think that there should be
limits on their ability to do that, sort of commensurate with
the kind of information they are collecting and the use to
which they are putting it. And actually, when we released the
report, one of the senior executives at Acxiom, which is the
largest data broker, acknowledged that it is not--quoting her
from the New York Times, ``It is not an unreasonable request to
have more transparency among data brokers.'' And in fact, that
is one of the areas where we had unanimity on the commission.
Mr. Kinzinger. Well, thank you. And again, thank you for
your time.
Madam Chair, thank you for recognizing me. And I will go
ahead and yield back.
Mrs. Bono Mack. All right.
And the chair now recognizes Mr. Waxman for 5 minutes.
Mr. Waxman. Thank you very much, Madam Chair.
Chairman Leibowitz, in your report from the FTC, you once
again call on Congress to pass legislation to give consumers
access to information about them held by data brokers. The FTC
also calls on data brokers to create a Web site where they can
identify themselves to consumers, tell consumers about their
collection and use practices, and tell consumers about any
rights and choices regarding information about them kept by
data brokers. I appreciate the FTC has used its report to once
again bring attention to offline data collection. Much of the
discussion around privacy has focused on online data
collection, pushing further into the dark a piece of the
tracking industry that consumers know little to nothing about.
Yet I understand these two pieces, online and offline data
collection, are beginning to converge so that the information
from both sources gets mixed up into one super profile about a
consumer. The FTC report also highlights something else
interesting in connection with this. The report points out that
following some scrutiny in the 1990s, some data brokers created
a self-regulatory organization, but that group was subsequently
terminated.
Then, in 2005, it was revealed that ChoicePoint, a large
data broker, experienced a data breach, and these firms were
once again in the spotlight. But as the report points out,
there have been no meaningful broad-based efforts to implement
self-regulation in this area in recent years.
Chairman Leibowitz, I would like you to address two things.
First, what lessons can we draw from the failed efforts at
self-regulation by data brokers? And second, can you please
discuss why it is important that we pay attention to offline
data collection and move legislation to grant consumers access
rights to this information?
Mr. Leibowitz. Well, let me take the second question first.
As you point out, there is a massive sort of collection of
information by these companies. And they provide value. I don't
want to say that the companies are inherently bad. And they
combine online and offline. They monetize this information.
They sell it, and consumers have no idea whether the
information is--what information is being collected about them
and where in cyberspace it is going.
So, even industry, I don't know if you heard my back and
forth with Mr. Kinzinger, but even industry, some of the
largest companies have acknowledged there is a need for more
transparency here. So that is a good thing. And going back to
your first point, I think the conclusion--a conclusion you
might draw is that the notion of a centralized Web site is one
that perhaps this industry may be willing to engage in. And we
have called for you to explore it in legislation, and we are
going to explore this issue going forward with the industry,
because we want to work cooperatively with them.
Mr. Waxman. Administrator Strickling, do you have any
thoughts to add about the self-regulatory experience with
offline data brokers and the importance of improving access and
transparency with respect to this part of the data collection
industry?
Mr. Strickling. Well, in general, we see this as an area
that could work with some improvement. And we do believe our
multi-stakeholder process that we proposed would provide a good
opportunity to do just that.
Mr. Waxman. Chairman Leibowitz, in your testimony, you
discuss a final settlement the FTC entered into with Google
late last year for a case in which the agency charged that
Google deceived consumers in connection with how it rolled out
Google Buzz. The FTC is also in the process of settling a case
with Facebook in which you charge the company with several
deceptive and unfair practices. The settlements are similar in
that going forward, you require Google and Facebook to follow
and implement a number of protective privacy practices.
However, neither of these companies has had to pay a
penalty for what they did, not one penny. The fact that neither
Google nor Facebook will have to pay a fine left some outside
observers puzzled. So I would like you to discuss something
else you bring up in your testimony, the need to grant the FTC
civil penalty authority as part of any privacy bill that may
come out of Congress. Is it correct that, as it stands now,
even the FTC, had it wanted to, could not on its own seek civil
penalties against Google, Facebook, or anyone else for unfair
or deceptive privacy practices?
Mr. Leibowitz. That is correct.
Mr. Waxman. And is it correct that you were not able to
seek civil penalties from Google and Facebook because Congress
has not granted you the authority to seek these penalties under
these circumstances?
Mr. Leibowitz. That is correct.
Mr. Waxman. And the FTC report calls on Congress, as part
of any privacy bill, to provide the authority to seek civil
penalties. Can you tell us why civil penalties should be seen
as a key component of any privacy law?
Mr. Leibowitz. Because I think it just makes much more
effective deterrent. I think 46 attorneys general who have baby
FTC Acts have this authority. You have to use it judiciously.
And civil penalty authority for violations of the FTC Act, as
you know, is unanimously supported by the commission, all four
commissioners, Republicans and Democrats. And really the notion
goes back to when Caspar Weinberger was the chairman of the FTC
in the early 1970s, because he was a very big advocate for
civil fining authority.
Mr. Waxman. Thank you, Madam Chair.
Mrs. Bono Mack. Thank you, Mr. Waxman.
It is my intention to roll through this one vote on the
floor and have Vice Chair Blackburn take over momentarily.
But in the meantime, I am going to recognize Mr. Stearns
for 5 minutes.
Mr. Stearns. Thank you, Madam Chair.
Just to point out what Mr. Waxman said, wasn't it true with
Google, you put in place a 20-year audit on them?
Mr. Leibowitz. We did. Twenty years is our standard----
Mr. Stearns. And in the possibility that they are in
violation of that audit, then you could fine them, right?
Mr. Leibowitz. Yes. If you are under order and you violate
an order, then you are subject to fines. That is exactly right.
Mr. Stearns. So you do have the ability to fine.
Mr. Leibowitz. Yes, for the second violation.
Mr. Stearns. Yes. OK. I just want to clarify that.
This question is a little self-serving. I have a bill
dealing with privacy. It is H.R. 1528, the Consumer Privacy
Protection Act of 2011. And in my opinion, this bill calls for
a clear and easy-to-understand privacy policy statement, and
provides the FTC to approve a 5-year self-regulatory program. I
guess the question for Mr. Strickling and Mr. Leibowitz,
Chairman, is would you support advancing this type of bill
through Congress as an attempt for a Federal baseline?
Mr. Strickling. We have not yet taken a position as an
administration on any particular piece of privacy legislation
up here. But again, we absolutely support the enactment of a
straightforward baseline set of privacy protections, subject to
the multi-stakeholder process and codes of conduct which would
then flesh them out. But in terms of what would go in
legislation, yes, we support a very straightforward, simple
piece of legislation to codify the basic principles.
Mr. Stearns. If you can, just look it over. When I was
chairman of this subcommittee for 6 years, I had seven hearings
on privacy. And that was developed. And it was developed in
consensus. We got it out of the subcommittee. Jan Schakowsky
was the ranking member. So you might look at it.
Mr. Leibowitz. We also have endorsed general privacy
legislation, but nothing specifically. But we want to work with
you, because I know you are trying to accomplish the same goals
that I think we share.
Mr. Stearns. Yes. And so when a person says Federal
baseline, just give me one sentence, what does that mean to
you?
Mr. Leibowitz. A baseline?
Mr. Stearns. Yes, Federal baseline.
Mr. Leibowitz. On privacy?
Mr. Stearns. Yes.
Mr. Leibowitz. It means setting a standard that protects
consumer privacy in a way that doesn't in any way undermine
innovation.
Mr. Stearns. And you, Mr. Strickling?
Mr. Strickling. Quite straightforward. I think it is taking
our seven principles and putting them in a 10- to 15-page piece
of legislation and enacting them.
Mr. Stearns. I think some stakeholders have come out and
made some positions known during this comment period that you
are having here. How long is this comment period?
Mr. Strickling. It will close on Monday.
Mr. Stearns. OK. Do you think that is long enough?
Mr. Strickling. I believe so. It has been open for nearly a
month. Plus we, in our process to develop the blueprint, have
had numerous conversations with industry and civil society
groups for the last year and a half. So we feel we have a
pretty good handle on where industry and the not-for-profits
are at on these issues. But we still wanted to give them an
opportunity to provide direct input on how we could craft the
multi-stakeholder process that we are going to start later this
spring.
Mr. Stearns. How many comments have you gotten?
Mr. Strickling. Oh, we usually don't get them until the due
date. So we extended the due date at the request of some
commenters. I think we have gotten a handful so far.
Mr. Stearns. You have got three or four comments is all you
have got?
Mr. Strickling. I don't know the exact number, sir. But not
a lot.
Mr. Stearns. OK.
Mr. Strickling. I am told 15.
Mr. Stearns. All right. That is what staff is for.
Mr. Strickling. Yes.
Mr. Stearns. Would it make sense, as a first order of
business, for the NTIA to formally acknowledge as acceptable
those existing voluntary codes of conduct it has concluded are
models of effective self-regulation?
Mr. Strickling. Well, we are not going to recognize any
codes officially that come out of our process. So there is
nothing about any work that has happened before now that is any
way jeopardized or threatened by what we are going to put in
place. It will build on the work that has already been done by
industry and consumer groups up until now.
Mr. Stearns. This is just a comment, Chairman Leibowitz. I
think you said in an FTC privacy report that if a customer
books a weekend vacation, they would be unlikely to be
interested in continuing to see hotel advertisements after the
trip is complete. What research or surveys did the FTC conduct
to reach this conclusion, which seems to be a little
subjective, depending upon who you are, because you might,
after you get to your particular hotel, you might be interested
in continuing seeing hotel advertisements and maybe make some
calls if you want to extend your vacation?
Mr. Leibowitz. You know, my anecdotal and personal opinion
is that sometimes you do. And so I will go back and I will
check on the research we have done in order to incorporate
that, again, that prose. Again, what our report is about, and I
know you have read through parts of it, is voluntary codes of
conduct. So it doesn't impose any mandate on anyone, and it
doesn't--if you don't delete--if a company doesn't delete those
ads, of course, it is not an unfair or deceptive act or
practice. It is a fair point.
Mr. Stearns. So your research is anecdotal?
Mr. Leibowitz. I will come back and I will research it with
respect to central Florida.
Mr. Stearns. All right.
Thank you, Madam Chair.
Mrs. Blackburn [presiding]. The gentleman yields back. I
know we have Mr. Markey and Mr. Pompeo, who are en route.
And as they are returning, Mr. Leibowitz, I want to come
back to you on this authority and the enforcement, what the FTC
would do. It sounds like the White House and the Commerce
Department feel like that we can get by more with self-
regulation. So I want to know where there is a gap in authority
when it comes to enforcing privacy violations. Tell me where
you would see this.
You say, the FTC says it already possesses sufficient
authority to enforce the privacy violations. And then you hear
some things that Mr. Strickling says and some of the White
House, and it looks as if they are looking more at self-
regulation or would bend more to self-regulation. So, you know,
tell me where you think there is a gap.
Mr. Leibowitz. So this is a really good question. And we
can go after unfair and deceptive acts or practices, and we do.
That is our bread and butter. We are an enforcement agency.
What we can't do--I mean, what we do as an enforcement agency,
though, is we look back at violations; we don't look forward.
So companies don't necessarily have the certainty that they
want. And again, I was talking earlier today about a
conversation I had with a very senior technology company
executive who wants to do the right thing. But what he worries
about, and it is a totally legitimate worry, is if I give the
best privacy practices to customers, am I going to be at a
competitive disadvantage? So the notion of privacy legislation
and the codes of conduct that the Commerce Department and the
White House are talking about is one that would give more
certainty and create an even playing field. But again, you
know, we----
Mrs. Blackburn. So if I were to define the differences
between the way that you two gentlemen approach this, you would
say, be more proscriptive; and you would say, depend more on
the guidelines.
Mr. Strickling. Well, it is a four-part program. First is
the baseline legislation, which could be directly enforceable
by the Federal Trade Commission against those rogue companies
that choose not to adopt any protections for their customers.
But you are right, we then would have the detailed practices
and processes developed through these voluntary codes involving
industry and other stakeholders. We do think that those codes,
if adopted voluntarily by a company, would then be enforceable
by the Federal Trade Commission just as they enforce those
sorts of policies today.
Mr. Leibowitz. So I wouldn't call our--I would say our
efforts are complementary. Theirs looks a little bit more at
sort of procedural aspects, how do you get companies in a room
to come up with guidance. We look at sort of aspirational--best
practices for companies today, and sort of aspirational
practices for the companies that don't have the best privacy
policies. And I think they are very, very complementary. But I
don't think anything that we have talked about is proscriptive.
Really we have sort of two functions, neither proscriptive. One
is a policy function that goes back to when the agency was
created in 1914, and the other is enforcement for violators. A
lot of companies--so we go after the bottom feeders or the good
companies that, you know, make a mistake once, hopefully only
once. And then we try to encourage companies--again, we had a
multi-stakeholder process as well. They only had 15 comments;
we had 450--more than 450 comments. Most of them from
companies. We held multiple workshops. And so this is a sort of
a guide for really best practices. It is not proscriptive.
Mrs. Blackburn. Thank you.
At this time, I will recognize Dr. Cassidy for 5 minutes.
Mr. Cassidy. Hello, gentlemen. Thank you for working on
this. We have had several hearings on this. I met privately
with some folks. And you guys have really worked hard at this.
And it seems like we are coming to something that we can be
comfortable with. So if you will, I want to move to something
that we are not comfortable with, which frankly I don't know
answers to, but because you are experts I explore with you.
We are all familiar with the tragedy of the gentleman
Trayvon Martin who was shot in Florida. And some of us are
familiar with the fact that Spike Lee retweeted the address of
someone named George Zimmerman, not the George Zimmerman, but
another. Now, this is counter to Twitter's stated user rules,
but apparently, it took them 3 days to take that down so I have
been told. And in the meantime, we have seen terrible tweets,
until finally someone named Megan says anyone who retweets this
is guilty of the same crime. Now, she was a sensible person.
Now, I am exploring this with you because this is privacy,
but it is not technically consumer privacy on the other hand,
and there was a policy on Twitter, but you see where I am going
with this. And so to explore, I ask you your opinions. Aside
from the fact that Spike Lee should not have done it, and it is
reprehensible. I will say that.
Mr. Leibowitz. So Spike Lee is a great filmmaker, but, you
know, it is a bad practice, right? And the right to privacy is
a very complicated right, but it is a bedrock right, you know,
in our Constitution from government. And it is a critically
important right for consumers with respect to sort of
information that is aggregated. You know, but at bottom line, I
would say people have to exercise good judgment. Right?
And one of the reasons why we focus a lot on children's
privacy is because children and teens are incredibly lucid with
technologies, but they act very impulsively, and they don't
always exercise good judgment.
So it is, you know, it is a great example that you raise.
There are no easy answers to it. I don't know that it is a
violation of anything but good judgment and common sense.
Mr. Cassidy. Now, I understand that there is the you cannot
yell ``fire'' in the crowded movie theater kind of test as a
limit of free speech. And Spike has 250,000 followers. And the
elderly couple, the elderly couple, who is law-abiding, has had
to move into a hotel because of death threats. And again, I am
not doing anything but kind of posing the question, at what
point does it come to the standing of yelling ``fire'' in a
crowded theater?
Mr. Leibowitz. Well, I don't know the answer to that
because it is not subject to an easy--it is not subject to an
easy answer. Obviously, we only have jurisdiction over
commercial privacy issues. But I think it is important for
people like you. And I was reading the transcript from the last
hearing, and I saw your questions. I think it is important for
people like you who care about privacy, and also care about
justice to sort of speak out when you can.
Mr. Cassidy. OK. So, at this point, it is still moral
suasion, but it isn't necessarily anything that even though
Twitter didn't take it down for 3 days, that there is anything
you would consider would be appropriate in a regulatory realm?
Mr. Leibowitz. You know, we will go back and think about
that. I don't know what the circumstances are. I don't see it
as an unfair or deceptive act or practice. Perhaps they should
have taken it down sooner. But by the way, once someone puts a
tweet up with 250,000 followers, you know, it is immediately
retweeted and retweeted again. And Twitter, by the way, who we
have under order for a data security breach, you know, Twitter
has provided enormous value to consumers. And you know, you
don't want to use the heavy hand of government I think when
these companies are providing value and being innovative. But I
hear your point.
Mr. Cassidy. That is fair. Thank you.
And again, I was not challenging; I was trying to broach.
Next regarding children, as I read your testimony everybody
understands children are a special case. But I keep on thinking
that my savvy little 10-year-old is going to put down she is 19
when she wants to get on a Web site that she knows Daddy may
not approve of. So unless I walk by and bust here, she is going
to be someplace she wouldn't. Knowing you have thought about
that, how do we address that?
Mr. Leibowitz. Well, you know, you have tasked us, you the
Congress, with enforcing the Children's Online Privacy
Protection Act, which applies to sites targeted at 12 and
under, and also applies to companies when they know that there
is an underage user. You don't always know that, of course.
What we have done in our proposal for updating COPPA, because
the technology is massive--we actually accelerated as part of
our regulatory reform efforts our COPPA update because the
technology has changed massively in the last 10 years since
COPPA was enacted--12 years since COPPA was enacted--is in
proposal, we are taking comments, is to try to make it more
difficult for the smartest children or the most tech-savvy
children to elide around the COPPA protections. So that is
something we are looking at. Happy to give you an offline
briefing on what we are doing.
Mr. Cassidy. Sounds good. Thank you.
I yield back.
Mrs. Blackburn. The gentleman's time has expired.
At this time, I recognize Mr. Butterfield in round two.
Mr. Butterfield. Thank you.
Chairman Leibowitz, in your testimony, you state that the
World Wide Web Consortium, the Internet standards group known
as W3C, is working with a broad range of stakeholders to create
an international industry-wide standard for Do Not Track.
Overall, you seem to have a positive view about this
process and the progress being made there. Can you please
discuss the efforts of W3C so far and what its work can mean
for consumers who want not only to not to be targeted, but who
also want not to be tracked online?
Mr. Leibowitz. All right. So there are sort of three
different streams that are coming together. One is the Digital
Advertising Alliance that is working on its Do Not Track
option. And it serves close to a trillion ads every month--
trillion ads or the ad choices opt out.
Another is the sort of browser vendors, the big browser
companies, like Microsoft, Mozilla, and Apple, who have
wholeheartedly endorsed the notion of Do Not Track. And the DAA
is in the process of implementing the browser header approach,
that if a browser says ``Do Not Track me'' or ``do not collect
my information,'' they will not do that.
And the third is the Worldwide Web Consortium, W3C, which
is working on setting a standard. All of these streams are
heading in the same direction. We believe, and I am optimistic,
that they will come together by the end of the year in a
persistent, effective, easy-to-use Do Not Track option for
consumers.
Mr. Butterfield. In your testimony, you also state that
some issues remain, and the commission encourages all of the
stakeholders to work within the group to resolve these issues.
Can you tell me what some of those issues are and why it is
important?
Mr. Leibowitz. Well, I think that within--well, I will let
others, and there will be someone on the next panel speak for
the Digital Advertising Alliance. I think many members of the
Digital Advertising Alliance want to have robust Do Not
Collect, with exceptions for antifraud efforts and network
management. I think some others would like it to be Do Not
Advertise back. I am comfortable--I am not only comfortable, I
am enthusiastic that in a world where we haven't seen a lot of
voluntary self-regulation, and really this is almost a code of
conduct of the type that----
Mr. Butterfield. Mr. Strickling, you want to jump in here?
Mr. Leibowitz [continuing]. That we are moving forward, and
we are going to have it done.
Mr. Strickling. I am not directly familiar with the
remaining issues in these discussions except that we are very
supportive of the processes that are underway in all of the
cases the chairman described.
Mr. Butterfield. The administration highlights two concepts
as key to the multi-stakeholder processes for the development
of self-regulatory industry codes of conduct. They are, as you
know, openness and transparency. Openness means that a broad
group of stakeholders, including consumer groups and privacy
advocates, have the opportunity to participate. Transparency
means that it will be apparent to stakeholders in the public
how decisions coming out of the multi-stakeholder process were
reached. Some witnesses on the second panel today question the
value of these two concepts to the codes of conduct development
process. In particular, they suggest that some aspects of these
negotiations should be private.
Mr. Strickling, can you please explain why both open
participation and transparency are important?
Mr. Strickling. Well, we think it is quite important that
the results of this process have credibility, both with the
companies and the consumer groups that participate in it, but
also with the consumers that are going to benefit from that.
And we don't think there is any substitute for openness and
transparency in terms of being able to establish that sort of
credibility. But again, these are voluntary discussions. The
discussions that we convene will have the hallmarks of openness
and transparency. There is nothing about our process that in
any way would prevent or deter parties from talking amongst
themselves outside of our room. So those sorts of discussions
may well take place in the interstices between our sessions.
But the sessions we conduct will be open and transparent.
Mr. Leibowitz. And we are very supportive of the Commerce
Department's open and transparent approach.
Mr. Butterfield. All right. Thank you.
I yield back.
Mrs. Bono Mack [presiding]. The chair recognizes Mr. Barton
for 5 minutes.
Mr. Barton. Thank you, Madam Chairwoman.
I apologize for being tardy. I live 7 miles from the
Capitol, and it took me almost an hour to get here today. I
used every trick I could. The point remains to get into
Washington from Virginia, you have got to cross the Potomac.
And that means you have got to go across a bridge, and they
were all clogged.
In any event, I want to welcome our two administration
witnesses today. I especially want to commend the Federal Trade
Commission. You all have been doing excellent work on privacy.
I also think the recently issued Consumer Bill of Rights,
Consumer Protection Bill of Rights, Privacy Bill of Rights is
excellent. I think that is great.
My question to the FTC commissioner would be, does the bill
that Mr. Markey and I have introduced, the Children's Do Not
Track Act of 2011, is that congruent and consistent with what
the FTC has been attempting to do from a legislative
standpoint?
Mr. Leibowitz. Yes. I think it is very, very consistent.
And we are very supportive of what you are trying to
accomplish. As you know, children, teens are very technology
savvy, and they are also prone to act impulsively and
recklessly. So some of the notions in your--what is in your
legislation I think is very important. One of the areas that we
explored in our report is the notion of the right to be
forgotten. I think particularly for children and for teens,
there is a real value in doing that. And in our order
involving--you noticed it, I am sure--but in our order
involving Facebook, we included a provision that allows
consumers or users, if they are leaving Facebook, to report
their information back. So it is a sort of notion of the right
to be forgotten. We think it is very important. And we want to
work with you on your legislation going forward.
And the other thing I would say is of course, as you know,
in our COPPA rulemaking, one of the few areas we do rulemaking
in is Children's Online Privacy Protection Act, it is very
consistent with some of the provisions in your legislation.
Mr. Barton. Thank you, sir.
I want to ask Mr. Strickling, the Consumer Privacy Bill of
Rights, as I understand it, is not in legislative language. Is
it the administration's intention to present it in legislative
language and ask the Congress to act on it at any time in the
near future?
Mr. Strickling. Our goal is to work with this committee and
to work with the Senate to come up with legislation. If it
would help advance the process for the administration to
propose specific language, we will certainly consider that. But
I think our goal here is to work the best way we can in a
bipartisan way to come up with legislation working with both
Houses.
Mr. Barton. I am going to yield back, Madam Chairwoman. I
want to thank you for your focus on privacy and the hearings
that you have held.
I also want to commend my friend Mr. Markey. I have lost a
bet this week. We decided to get new cosponsors for our
children's online protection privacy bill, Do Not Track bill. I
think I have two. And I think he has around a dozen. So, for
this week, but this week alone, Mr. Markey, the trophy goes to
you. I know my Republicans are going to rally to the flag, and
we will catch up. Good job on the cosponsors this week.
With that, Madam Chairwoman, I yield back.
Mrs. Bono Mack. All right. The gentleman yields back.
And the chair recognizes Mr. Gonzalez for 5 minutes.
Mr. Gonzalez. Thank you very much, Madam Chair.
At this time, I would like to yield to my colleague, Mr.
Markey.
Mr. Markey. I thank the gentleman so much.
For kids, the Internet is oxygen. They can't live without
it. So what Mr. Barton and I have done is introduce a bill to
protect kids 15 and under. Each kid who lobbies successfully,
they are 12 to 13, they are 14, to get their iPad, to get their
Kindle fire, they are now off into places that their bicycle
can't take them. And so the question is, are we going to
protect those kids? Now, we should also debate what we are
going to do for 24-year-olds, and 34, and 54, and 74. But do we
really have to debate what we are going to do for 15 and under?
Do we really have to debate that?
So let me ask you this, because I will give you the core of
our bill. And I will ask the two of you--first of all, thank
you, Mr. Leibowitz, for all your great work, and Mr.
Strickling.
Our bill requires consent from parents before companies
collect information about children; ensures that kids and teens
15 and younger have an eraser button to delete their personal
information online; and it prohibits targeted advertising to
kids and teens 15 and under. So this would not be big
government; this would be big mother and big father able to
police what is going on with their kids as they are going
online. And we are only talking about children here. That is
it. No more, no less than that.
And overwhelmingly, these numbers, the numbers on this go
over 90 percent in polling. There should be a law that protects
children. OK? There can be a debate perhaps over adults. But on
kids, you know, they have a right to be forgotten. What they
put online when they are kids, it shouldn't come back to haunt
them in their college application. They have a right to
develop. Kids have a right to develop. Kids have a right to
make mistakes. And they have the right to be forgotten so that
they can flourish into adulthood and not have this material
they put online when they were 13, 14, 15 haunting them for the
rest of their lives. Can we all agree upon that?
You agree with that, Mr. Strickling, that there should be a
law that gives parents the rights to be able to erase this
information?
Mr. Strickling. We absolutely support the idea that we need
special protections for kids. That is laid out in our Consumer
Bill of Rights.
Mr. Markey. Would you support a separate piece of
legislation just to give that higher level of protection to
children?
Mr. Strickling. We absolutely would be willing to work with
you to develop that legislation.
Mr. Markey. And do you agree that children are entitled to
a higher degree of protection?
Mr. Strickling. Our Consumer Bill of Rights recognizes
that. And indeed, we could see moving forward fairly quickly,
under our framework, to develop codes of conduct with respect
to the very specific issues you have laid out.
Mr. Markey. You are saying legally enforceable. You are
saying legally enforceable rights that parents could take the
companies to court.
Mr. Strickling. Under our framework, once the companies
adopt those policies----
Mr. Markey. No, but even if they don't adopt them. Let's
say there is an outlier, a pirate company exploiting children;
would you give the right to parents to go against a pirate
company that is exploiting a 13-year-old girl who went online
just trying to find information about her weight, and now she
is being bombarded with 100 companies who are pirate ships?
Would you give the parents a right to go against those
companies?
Mr. Strickling. Again, the basic principles----
Mr. Markey. No, would you give the right----
Mr. Strickling [continuing]. Absolutely are important, and
need to be supported. And again, we have not taken an
administration position on this. But we will work with you on
it.
Mr. Markey. Would you give them the legal right to go
against the pirate ship coming against a kid, trying to exploit
her anxiety about her weight, and now she is being bombarded by
hundreds of companies with weight loss information?
Mr. Strickling. It is well worth being considered.
Mr. Markey. Well, I think you should not just consider it.
I think you should support it, Mr. Strickling. I think that
should be illegal if the parents want to block that company. I
just think you are wrong on that. I don't think just consider
it; I think it has to be the law.
What do you think Mr. Leibowitz? Should there be a law?
Mr. Leibowitz. Well, as you know, our proposal for our
COPPA update involves the notion of you need parental consent
before you track children. So it would put sort of--it would
really put much of your legislation, that Do Not Track kids,
into place. Now, we are still taking comments. We haven't
decided what we are going to do. But we are very supportive of
the notion.
And I just want to make a couple of just other
observations, and I will turn it back to you. So one is one of
the great things about your legislation, and it is a reminder,
is that privacy is a totally bipartisan issue. And that goes
back to COPPA, when you and Mr. Barton and Senator Hollings and
Senator McCain were very involved in implementing it. It is a
fundamentally conservative notion in a certain sense. And it is
one that is very important.
And as you look at this committee, or this subcommittee, I
think everyone cares about it. You come at it from slightly
different perspectives sometimes, but it is very much a
bipartisan notion. And the notion of children as vulnerable is
one that you have already made that determination.
Mr. Markey. I do not believe that it is morally appropriate
for us to not put protections on the books, legally enforceable
protections for kids 15 and under. YouTube should not become
YouTrack. We should not have profiles of children being made by
adults and companies trying to exploit their vulnerability.
They have a right to be--they have a right to develop. And if
there is nothing we can't agree on, on privacy in general, and
I can see where that could happen this year, let's not have a
debate over kids and making it enforceable. They are a special
category. And I just hope the administration will zero in on
this and make sure that we provide those extra protections. I
thank the gentlelady.
Mrs. Bono Mack. Thank the gentleman.
And the chair recognizes herself for 5 minutes.
And I yield to Dr. Cassidy for questions.
Mr. Cassidy. Thank you.
Mr. Leibowitz, you had said you had read the previous
questioning. So I just thought I would follow up on a couple
things that I previously brought up. A voluntary kind of, OK,
we are going to address privacy is fantastic. And again, I am
just so impressed with how you all have worked through many of
these issues. But I am struck that there is little ways that
obstruct me, when I am on the Internet, from protecting my
privacy. So, once I was on an Apple site, and I actually
clicked ``read here'' before you check to make sure, and it was
literally pages of often repetitious, irrelevant material that
I had to dig through to find that which was important about my
privacy. And you begin to wonder if it is not tucked away in
this thick forest of obfuscation solely because I get
discouraged and say what the heck, let me hit the button,
number one.
Number two, I think it was YouPlus on Google, or some
function on Google where I said, let me explore. I go over
there, and I almost had to reboot my computer to get that
screen down. Now, I just tried to log on to see if that was
still the case, and I couldn't get back to where I was. They
probably know I am in here. But that said, it was just
remarkable how easy it would have been for me to agree to turn
over my personal data and how I could not hit a back button to
get off that screen. I had to close the browser and reopen to
get to my Gmail account.
So, that said, there are subtle or not so subtle ways in
which we are herded into confessing our personal information,
if you will. Your thoughts on that? And I asked that before, so
since, again, you all are giving great testimony, I thought I
would bring it up again.
Mr. Leibowitz. So on the privacy policy length and the
inability to read it, according to TRUSTe, which is sort of a
technology-based research company in San Francisco, Declaration
of Independence, about 1,300 words; I Had a Dream speech, about
1,600 words; and average privacy policy, over 2,000 words. I
asked my staff to look at privacy policies on mobile, and I did
say, find me the worst one. And they found a mobile privacy
policy that was 102 clicks. So you certainly shouldn't read it
while you are driving, but no one is going to read it at all,
except for my staffer, who had to.
Part of the reason why we support Do Not Track, again,
which is voluntary, and which I think companies are moving very
close to implementing, is because it gives you the right to opt
out of having someone collect your information; only for third
parties, not for first parties. When you are on someone's Web
site, they should be able to track you. You sort of understand
that around the Web site. But people who are dropping cookies
in your computer, which is your property, they should give you
the right to opt out.
Mr. Cassidy. So if I log on Apple iTunes, and I click, yes,
you can track me, if you will, that is only for Apple iTunes;
it would not be on Safari tracing me all across the Web?
Mr. Leibowitz. Yes, that would be--under our voluntary
proposal, you would be able to opt out. I would say this. When
you talked about the difficulty you had of getting out of a
particular site, when we were--when I first came to the
commission, shortly after, we were very involved in nuisance
adware cases. So spyware that is in your computer. You can't
pull it out. It is the software you can't get out, because they
want to hide, and it serves up ads. So maybe it serves 20 ads
to you a day. But, you know, in the aggregate, one company
admitted putting cookies in I think 100 million consumers'
computers. You know, in the aggregate, an enormous amount of
harm, right?
And so those cases, like the one you talked about, and
maybe we will have an offline conversation if you know the
company, those begin to get into an area of unfairness where we
might be able to go after them. It sort of depends--you have to
see the context of it. But when you are making it difficult for
someone to just get off of a screen, and if they are sucking up
information that you don't want them to, that may very well be
an unfair or perhaps a deceptive act or practice under the FTC
Act.
Mr. Cassidy. OK. To an extent, it may be caveat emptor; and
to an extent, it may be, yes, they are doing something
deceptive.
Mr. Leibowitz. Yes, I think that is right. And just going
back to the reason we support privacy legislation, again, going
back to Chairman Bono Mack's point that you have to hit the
sweet spot--I know you are not endorsing the legislation, but I
thought that was something that is important to note--is we
can't require privacy policies in advance by companies. So one
of the things that the Commerce Department's voluntary codes of
conduct might be able to come up with is standardized privacy
policies that are short and readable and the companies will
adopt. And that is a good thing. And that is something you
could require, for example, in legislation.
Mr. Cassidy. Or even an abstract of two sentences placed
above that which the attorneys want you to include.
Mr. Leibowitz. Yes. Because--yes. And you know, look. What
we want, and again, this is a document about best practices for
the most part, what we want is best practices with respect to
consumers and protecting their information. But look, it is
better to have a notice in two sentences that says, if you come
on our site, we are going to take all the information we can
and do many things with it, than not understanding that at all.
And I think if you understand, you know, the value proposition,
if consumers have real privacy protections, and surveys have
shown this, they will engage--they will have more trust in the
Internet. They will engage in more commerce, and it is a
virtuous cycle. But again, there are best practices, and many
companies engage in best practices, but not all companies do.
And so part of the reason why we support legislation is
because self-regulation has been--or is because self-regulation
has been erratic. And we all know that from the number of
breaches that we read about, for example.
Mr. Cassidy. OK. I yield back.
Thank you.
Mrs. Bono Mack. Thank you, Dr. Cassidy.
The chair recognizes Mr. Harper for 5 minutes.
Mr. Harper. Thank you, Madam Chair. Thank you for holding
this hearing.
Gentlemen, I thank you for being here. I know you were
looking for something fun to do today, and we are glad to have
you here with us.
Mr. Leibowitz. Always delighted to be here.
Mr. Harper. There you go.
I will start with Mr. Strickling, if I can. Before the
stakeholders can address what should be permitted and what
should be out of bounds for purposes of consumer information
practices, they will have to define harm. Outside of a data
breach, how do you personally, or as head of NTIA, define harm
in this context? I think that is really a critical deal for us
is, how do you truly define harm? So how do you define it
personally or within these confines?
Mr. Strickling. Right. Let me state, though, at the outset
that developing these codes of conduct are not going to require
the parties to define harm, because there are many goals in
place here, one of which, which is fundamental to our work and
is, I believe, fundamental to this committee's work, has been
to promote innovation on the Internet. We do believe the
development of these codes of conduct will help promote
innovation on the Internet by allowing companies to retain the
flexibility they need to have to try new business practices.
But within that, as we think about harm, it is harm to
consumers, as we have already discussed, but it is this larger
question of, how do we continue to grow and expand the Internet
economy? How do we protect and promote innovation?
It would be a harm to our economy, it would be a harm to
American business if something were to happen that the Internet
stopped being the tool of economic growth it has become. And to
that, we link this concept of trust. What has allowed the
Internet to grow has been in large part the trust that all of
the actors have, that their information and that their
transactions are protected on the Internet. So, in the
development of these codes of conduct, to the extent we can
continue to grow that trust, we then think that helps promote
innovation, promotes new businesses. And that is very much a
goal of what we are trying to accomplish here.
Mr. Harper. Do you see users of the Internet having a
changing view of the expectations of privacy?
Mr. Strickling. Absolutely. And what we want to preserve is
both the flexibility that comes from technological change as
well as the flexibility that emerges as consumer expectations
change. That is why we are most emphatically not proposing a
regulatory solution here. We are proposing these basic
principles, which are very, very similar to the same principles
that were first enunciated over 30 years ago, nearly 40 years
ago, in these fair information practice principles. That is
what we want to see enshrined in legislation.
And to Congressman Gonzalez's point earlier today, these
are principles that are not going to change that much over
time. How you implement them, the processes that are used,
those will definitely change as a result of technology. And
that is the flexibility we want to preserve. Because these
codes, once they are developed, can certainly come back and be
reexamined and changed to deal with changing circumstances in
the market.
Mr. Harper. Are you anticipating perhaps for users of the
Internet to receive future warnings as to expectations of
privacy? Are you anticipating any type of warning system or
change in those warnings?
Mr. Strickling. Well, it is in our basic baseline that
consumers ought to be informed of those sorts of changes. But
again, how that would be done, that we want to leave to the
private sector to determine through these discussions.
Mr. Harper. Mr. Leibowitz, for years, I know FTC has
prosecuted under its Section 5 authority only when there was a
tangible harm unless the action involved deception. In fact,
the FTC specified this practice in previous statements to
Congress. The essential question I think in the broader privacy
debate is, what is the harm to consumers that we are trying to
address with these proposals?
Mr. Leibowitz. So that is a great question. And I would say
this. A couple points. So it is easy to define harm. We brought
dozens of cases in the last 3 years, since the recession,
involving foreclosure rescue scams and debt consolidation scams
where companies would say on the radio, or call up and say, if
you give us $5,000, we will get your mortgage and arrears back
in shape. And they take the money, and they do nothing. So we
all understand that is tangible harm.
But now go back to Mr. Cassidy's question, which is, you
know, involves things like pop-up ads or nuisance adware. All
right, I would say that is harm as well. Now, it may not be
much harm to an individual, but in the aggregate, it is harm.
So part of the reason that we wrote--part of the reason that we
wrote this report, which is about best practices, is because
with privacy, we have tried the harm-based model, we have tried
the notice and choice-based model. Now we know privacy policies
don't really give people as much notice because they are
incredibly long and difficult to read as we would like. So both
of those models are ones that we used for prosecution.
But we also thought that with respect to privacy, where
these issues are, as you know, pretty thorny and pretty
difficult, it is best to engage, it is best to have best
practices. I think this also goes back to the Commerce
Department's notion of voluntary codes of conduct, where
companies will decide what works best.
Mr. Harper. OK. Thank you.
I yield back.
Mrs. Bono Mack. Thank the gentleman.
And I would like to thank our panelists for being here
today. I look forward to our continued work together to do all
we can to protect the online privacy of American consumers.
Again, thank you for your time. You have been very generous. At
this point, we are going to take a very brief recess as we seat
the second panel. So thank you again.
Mr. Leibowitz. Thank you, Madam Chair.
Mrs. Bono Mack. Hopefully, we can do this change in 1
minute or less for the second panel.
[recess.]
Mrs. Bono Mack. All right. We are going to continue with
our second panel. So joining us today are Berin Szoka,
president of TechFreedom; Pam Horan, president of Online
Publishers Association; Jonathan Zuck, president, Association
for Competitive Technology; Mike Zaneis, senior vice president
and general counsel for the Interactive Advertising Bureau; and
Justin Brookman, director of consumer privacy, Center for
Democracy and Technology.
Good morning to our distinguished panel. Thank you all for
coming. You will each be recognized for 5 minutes. To keep
track of the time, please note when your light turns yellow,
you will have 1 minute left. Again, we ask that you pull your
microphones close to your mouths so everybody can in fact hear
you.
And at this point in time, Mr. Szoka, welcome, you are
recognized for 5 minutes.
STATEMENTS OF BERIN SZOKA, PRESIDENT, TECHFREEDOM; JONATHAN
ZUCK, PRESIDENT, ASSOCIATION FOR COMPETITIVE TECHNOLOGY; PAM
HORAN, PRESIDENT, ONLINE PUBLISHERS ASSOCIATION; MICHAEL
ZANEIS, SENIOR VICE PRESIDENT AND GENERAL COUNSEL, INTERACTIVE
ADVERTISING BUREAU; AND JUSTIN BROOKMAN, DIRECTOR, CONSUMER
PRIVACY, CENTER FOR DEMOCRACY & TECHNOLOGY
STATEMENT OF BERIN SZOKA
Mr. Szoka. Thank you, Chairman Bono Mack, Ranking Member
Butterfield.
Let's try again. Chairman Bono Mack, Ranking Member
Butterfield, Vice Chairman Blackburn, members of the
subcommittee, thank you for the opportunity to testify at this
important hearing.
I commend you, in particular, for emphasizing the word
``balance'' in the title of today's hearing. As valuable as
privacy can be, its value is not absolute. Privacy advocates
and policymakers alike all too often overstate the value of
privacy and understate its costs. We should approach privacy
like any form of consumer protection, weigh harms against
benefits, and empower consumers to make the right choices for
themselves wherever possible.
The White House report gets the most important question
right: Government lacks the flexibility, speed, and
decentralization necessary to address Internet policy
challenges. However laudable the report's principles, what
matters is pragmatically transposing them into concrete rules
that recognize real world trade-offs with innovation,
convenience, and other competing values. Only a multi-
stakeholder self-regulatory process can do this effectively.
But to avoid failure by design, that process must be
voluntary, as the White House promises. Consumer advocates can
play a vital role in offering constructive specific
contributions in public fora. They can use public pressure to
promote compromise within industry. But as with the DAA process
itself, the difficult work of forging consensus must ultimately
take place in private, and it must be industry that ultimately
votes. There is much more to be praised in the White House
report and the FTC report. But the White House's overall
approach is both, well, unfair and deceptive.
First, while the White House report reminds us of the
Fourth Amendment's essential protection against unlawful
intrusion, it neglects to mention that the Fourth Amendment
protects us against such intrusion by government. By using the
term Consumer Bill of Rights just 2 months after a unanimous
Supreme Court denounced excessive government surveillance in
its Jones decision, this seems to me to be a constitutional
sleight of hand, while the real Bill of Rights remains in
peril.
Second, while the Fair Information Practice Principles play
a useful role in conceptualizing consumer privacy protection,
they are not enough. As law professor Fred Cate argues, the
FIPPs have ultimately failed to serve consumers. Data
protection laws should instead regulate data flows only when
necessary to protect individuals from harm, while maximizing
the flow of data. This is precisely why it is so important that
both reports support proper re-identification of data as a way
of balancing reasonable risks with the benefits of data-driven
research and serendipitous innovation like Google's flu trends.
To quote Professor Cate, ``Data protection is not an end in
itself, but rather a tool for enhancing individual and societal
welfare.''
Indeed, as the FTC itself declared in its 1980 policy
statement on unfairness, unjustified consumer injury is the
primary focus of the FTC Act. The question policymakers should
be asking is, what harms should the law remedy? Where the FTC's
authority has proven inadequate, Congress has passed laws to
remedy clear harms, such as the Fair Credit Reporting Act.
But before legislating further, Congress should ask whether
the FTC can adequately address substantial harms through its
unfairness and deception authority. The FTC must walk an
exceedingly fine line on unfairness. If used too seldom and if
defined too narrowly, unfairness will fail to protect consumers
from real harm, suggesting legislation is needed when in fact
it is not. But if defined too broadly, unfairness will again
make the FTC the national nanny, as the Washington Post dubbed
the agency in the 1970s. Only this time the FTC will be
micromanaging not children's advertising and funeral parlors
but the very tools by which we communicate with each other. At
worst, the Unfairness Doctrine would likely have banned the
camera, that great invader of privacy, back in 1890. But at
best, unfairness could supplement self-regulation if the FTC
becomes more rigorous in its analysis.
Even as the FTC has lamented the inadequacy of its current
authority, it has staked out a bold position on the scope of
harm covered by unfairness. While unfairness certainly can
cover nonmonetary harms, like reputation, the Unfairness
Doctrine requires actual harm, not merely the risk of harm.
While the Unfairness Doctrine should never coerce compliance
with self-regulation, as Chairman Leibowitz suggested, it can
validly punish laggards that persist in a practice disavowed by
most of an industry. For example, standard industry practice
recently helped the FTC establish that it was unfair for the
Frostwire mobile android app to share every file on users'
mobile phones without disclosing this when users did not expect
this setting and could not change it easily. Unfairness is
intended precisely to discourage such traps but not to punish
innovative new paradigms for sharing information.
If the FTC dictates fair product design based on static
user expectations, innovations that change our thinking about
privacy, like the camera in 1890, will suffer. The problem with
the Unfairness Doctrine is that the FTC has never had to defend
its application to privacy in court, nor been forced to prove
harm is substantial and outweighs benefits.
Given the strong reputational incentives by companies to
settle out of court, only Congress can call the agency to
account. Just as Congress once required the agency to produce
its unfairness and deception statements, Congress should
require the agency to explain how it has applied both doctrines
to privacy.
And finally, Congress must ensure the FTC has the technical
capacity for effective enforcement to balance its harms with
benefits. The right measure is not how many lawsuits the agency
brings, but whether it effectively deters the occasional abuses
of data while enabling and even encouraging the overwhelming
benefits created by the steady flow of information. Thank you
again for inviting me to testify here today.
[The prepared statement of Mr. Szoka follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Mrs. Bono Mack. Thank you, Mr. Szoka.
Mr. Zuck, you are recognized for 5 minutes.
STATEMENT OF JONATHAN ZUCK
Mr. Zuck. Chairman Bono Mack, Ranking Member Butterfield,
distinguished members of the committee, thank you for holding
this hearing and allowing me to participate.
I have, as the app trade association, get asked to talk
about the app industry over and over again. And what is amazing
is that every time I talk about it, the new figures surrounding
the app marketplace continue to go up. Before we even reached
previous projections of $8.3 billion that were supposed to
happen by 2013, we are already at a $20 billion industry that
is now projected to be $76 billion by 2015.
So as was mentioned earlier, the employment statistics that
are fueled by this incredible growth are clear for everyone to
see. And it is a small business phenomenon. Eighty percent of
its marketplace is made up of small businesses, companies like
Zco in New Hampshire and companies like InterKnowlogy in
California and Computer Ways in Florida. So there is this
dispersed and small business element to this that I think has
to always persistently be acknowledged when discussing the
potential impact of regulation.
I have had the opportunity to participate in many multi-
stakeholder processes around the world. And despite that fact I
am still interested in participating in the one being convened
by the Commerce Department. If anything, it should be better
than the sort of de facto regulation that comes to enforcement.
If we take the example of Google Buzz that Chairman Leibowitz
raised, that is a clear case where an enforcement action was
brought, but instead of punishment being the result, the result
was the bare bones of a regulatory expectation that has
survived until today with their Do Not Track proposals that
would in fact create a regulatory framework for everyone else
that would benefit Google over its competitors. So that can't
be the best outcome, especially when no one else had a say in
how the proceedings would take place. Certainly a multi-
stakeholder approach is a superior one.
But I guess my one hesitation, if you will, with the multi-
stakeholder discussion as they are being currently proposed is
the suggestion that we should begin the discussion with mobile
apps. And certainly as the mobile app trade association, it is
predictable I would say that. But I would guess I would say
this is the area of the industry that is the newest, and the
area of the industry that is most dynamic, and the area of the
industry that is least understood. So as a practical matter the
idea of beginning there seems ludicrous because it is the thing
we know the least about and the thing we are in the least
position to make decisions about. So the only real conclusion
that I can draw it seems like the easiest group to try to
impose regulations on, and I think that is the wrong way to
approach this process.
The real issue has always been about data and we need to
make sure, as the FTC pointed out, that that data is online and
offline data and that it has do with it no matter how it is
collected, but instead has to do with the conditions under
which data can be collected, the conditions under which it must
be stored both from a security and a privacy standpoint and
also conditions under which it can be shared.
There is an old saying that the memo makes the meeting. And
so even though everyone is talking about nonbinding voluntary
things that we also want legislation to support, it is tough
for me to keep track of all of that. Even in that context the
very fact that I am raising this issue first means that I am
suggesting that this is the issue most in need of addressing.
And that will already have an impact on consumer understanding
of that marketplace.
At best there is the suggestion that this is the most
important area to address and at worst the suggestion can be
made that it is the only area that needs to be addressed, when
the reality is it is data that is the most important. If the
memo makes the meeting, the we start off the meeting with
everyone trying to figure out how they are not supposed to be
the ones being discussed. GM will certainly suggest that OnStar
is not mobile technology, even though I would suggest that it
is. Instead if we decide something like location data is the
place that should be discussed first, then it will apply across
the board.
Secondly, the memo makes the news. So you have the same
sort of situation that says that we have suggested that this is
the most important way of proceeding when in reality I think
that to the extent there is consumer concern about privacy, as
Chairman Leibowitz brought up, it has been more driven by large
data breach failures by a few large players and persistent
disregard for privacy by a few large players and doesn't have
to really do with the mobile apps that seem to be the focus of
attention currently.
So while I support the multi-stakeholder approach andI look
forward to participating in it, I think it is really imperative
to remember that the only way that a multi-stakeholder approach
will work is if everyone has a stake in the outcome. If you
don't have--otherwise we in the mobile app community are going
to feel like we are the steak and everyone else is carrying
around A1 sauce. So I would like to make sure that we focus on
the data and not the technology it is collected.
Thank you.
[The prepared statement of Mr. Zuck follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Mrs. Bono Mack. Thank you, Mr. Zuck, for the sound byte of
the day. And Ms. Horan, you are recognized for 5 minutes.
STATEMENT OF PAM HORAN
Ms. Horan. Chairman Bono Mack, Ranking Member Butterfield,
and distinguished members of the subcommittee, thank you for
the opportunity to speak with you today. My name is Pam Horan,
and I am the President of the Online Publishers Association.
The OPA is a trade association that represents the online
content community and its unique role in the future of media.
Our members include some of the most respected online
publishing brands from Gannett, the New York Times, CBS
interactive to Washington Post, Time, Inc. and Disney
Interactive media, to name a few. OPA members are the public
face of the Internet with well established track records of
integrity and quality. Many of our members serve a critical
role in a functioning democracy to gathering and distribution
of news and information.
OPA members have long understood the need to respect and
protect consumer privacy. These trusted brands hold a direct
first party relationship with their consumers. They must
maintain confidence in their brands to attract the large
audiences necessary to compete in the advertising marketplace.
With thousands of alternative Web sites just a click away,
there are a multitude of places online for consumers to easily
get their news, information and entertainment, especially if
they don't trust a Web site's privacy practices.
Both the Department of Commerce's Consumer Privacy Bill of
Rights and the FTC's privacy report that was released this past
Monday recognizes that companies do not need to provide choice
before collecting and using consumer data for practices that
are consistent with context or consumer expectations.
A good example is if a user might visit CNET.com, a leading
source of technology product reviews, to research 3-D TVs. As a
user is reading a review of Sony's newest 3-D TV CNET might
show a list of similar products viewed by others who also read
that review. Consumers expect and want publishers to offer
additional content that enhances their Web site experience.
Last year our members invested over three-quarters of a
billion dollars in the production and creation of high quality
online content. Given the infancy of the industry and the
economic challenges facing the publishing businesses, it is
important to continue to allow publishers to monetize their
investment, especially when their efforts meet consumer
expectations.
We are encouraged by several of the principles contained in
the Consumer Privacy Bill of Rights. One is the respect for
context. That principle supports that first party data
collection practices fall within consumer expectations and
consumers trust first parties to collect and use their data
appropriately.
Second is the access and accuracy principle, which
recognizes that a consumer's right to being assess the data a
company holds could have First Amendment implication. OPA
members play a critical role in gathering and distributing news
and information, which is necessary for a vibrant democracy. We
appreciate that the administration notes that this principle
should be interpreted to respect the freedom of the press.
There are several other aspects of Consumer Privacy Bill of
Rights which are of concern. The report urges consumer facing
companies such as publishers to disclose not only their own
data collection and use practices but also those of their
business partners. Publishers are actively working to monitor
and track the data collection activities of third parties on
their Web sites in order to protect their consumers. However,
based on the complex and dynamic nature of the Internet and the
sheer number of partners and service providers, this is a
daunting task. The obligation to disclose practices of other
parties implies that publishers would be responsible for
violations by these other parties. We believe that, as in the
case of the DAA self-regulatory program, each entity that
collects and uses data is and should be accountable.
Also, the Bill of Rights urges companies to provide
consumers with a reasonable way to access all data that a
company holds about them while providing appropriate privacy
protections. This presents significant technical challenges
that could actually increase risk to consumers in the end.
The OPA has worked closely with our colleagues in the DAA
to create a self-regulatory regime to provide transparency and
choice for consumers. Online privacy is different for every
individual and the DAA self-regulatory program accommodates
those individual choices with ease.
Self-regulatory models such as the one developed by the DAA
can more efficiently adapt to technological innovation and
evolving consumer needs, thereby offering the most effective
privacy protection. Ultimately we believe industry self-
regulatory program can more quickly and effectively deliver
privacy protections for consumers than a legislative or
regulatory approach.
Thank you for the opportunity to share the perspective of
first party publishers with you today. I look forward to
answering any questions you may have.
[The prepared statement of Ms. Horan follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Mrs. Bono Mack. Thank you very much. Mr. Zaneis, you are
recognized for 5 minutes.
STATEMENT OF MICHAEL ZANEIS
Mr. Zaneis. Thank you very much, Chairman Bono Mack and
Ranking Member Butterfield, for this opportunity to testify
before you on these important issues today. My name is Mike
Zaneis.
Mrs. Bono Mack. Please pull your microphone closer.
Mr. Zaneis. My name is Mike Zaneis, and I am the Senior
Vice President and General Counsel for the Interactive
Advertising Bureau. IAB represents more than 500 leading new
media companies. That includes the largest Internet portals and
search engines, traditional newspapers and magazines,
television broadcasters who are migrating their content to the
digital world. And increasingly that includes the smallest
players in this ecosystem, the mom and pop small publishers
that constitute the long tail of Internet. But the thread that
binds them all together is they depend upon digital
advertising, the advertising revenue that allows them to invest
in creative new content and innovative services, almost all of
which are available freely to consumers.
So I would also like to take this opportunity to
congratulate President Obama's administration and the Federal
Trade Commission on the release of their respect of privacy
reports recently. We are especially gratified when both reports
recognize the tremendous success of industry self regulation in
the consumer privacy arena.
Some 4 years ago IAB joined with our sister trade
associations, the 4As, the ANA, DMA and in conjunction with the
Council of Better Business Bureaus to create the most
comprehensive, digital consumer privacy self-regulatory
program. We were especially proud to be asked to participate,
as you were, Chairman Bono Mack, on February 23rd when the
White House held a press conference to release their privacy
report. The DAA was held up as a model of success for what they
call enforceable codes of conduct. Similarly, the FTC has
recognized the great progress that we have made in self-
regulation. And I think that all of this praise is with great
merit.
I would like to share a couple of data points with you,
metrics of success if you will. As Chairman Leibowitz testified
to earlier today, the DAA program is transforming the way
consumers receive information about how data is collected and
used about them online. The ad choices icon, that little blue
triangle with an ``I'' in it that you are seeing all over the
Internet is being served within more than 1 trillion ads every
month. Let me repeat that, more than 1 trillion ads every month
contain this new notice provision. It is easy, it is easily
discoverable for consumers. They can click on the icon and
within 2 or 3 sentences they can understand how data is being
collected about them. This is revolutionary.
Of equal importance is the fact that within that simple
notice they can click through to the consumer choice page. And
that is a simple, one-stop shop mechanism for consumers to opt
out of having data collected about them. That is key. We have
over 93 third-party entities participating in the DAA consumer
choice page. It covers well over 90 percent of the ecosystem.
The last statistic I would like to share with you is
through the Council of Better Business Bureaus' enforcement
program we are covering 100 percent of the digital advertising
ecosystem. That is because the BBB doesn't just enforce against
IAB members or DAA members. No, they enforce against every
party throughout the supply chain, and that is key because we
know any self-regulatory program is only as strong as the
enforcement mechanism behind it.
I think that this track record of success is what I would
like to really focus on with the last minute I have here
because there is a cautionary tale in each of these privacy
reports as well. We want to ensure that any additional
enforceable codes of conduct that are developed really build
off track record of success self-regulation proven recently.
Instead of displacing it we should build on that.
Secondly, I want to make sure before government entities
call for new government burdens and requirements, that they
have identified specific concerns and that they have well
targeted legislative proposals to address those concerns.
Lastly, I would like to point out one provision that we
have great concern with in the Federal Trade Commission's
report, and that is this new call for data broker legislation.
I think we need to realize the FTC has given great praise
to self-regulation with one hand and we want to make sure that
they don't take that away by having an overly broad definition
of data broker. In this day and age in the digital economy we
have to realize that every publisher, every marketer, every ad
agency, every advertising network and every analytics firm that
is operating on the Internet transacts in data. We have to
understand that in this information economy data is the new
currency.
With that, I look forward to working with the subcommittee
and the full committee, the Commission and the administration
as we move forward on these issues. And I look forward to
taking any questions you may have.
[The prepared statement of Mr. Zaneis follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Mrs. Bono Mack. Thank you very much.
Mr. Brookman, welcome. And you are recognized for 5
minutes.
STATEMENT OF JUSTIN BROOKMAN
Mr. Brookman. Thank you, Madam Chairman, Ranking Member
Butterfield, members of the committee. Thank you very much for
the opportunity to testify in today's hearing. I think you have
chosen a really apt title for this hearing. Privacy and
innovation are two issues that are very near and dear to CDT's
heart. They are both vitally important and I think it is fair
to say we probably failed so far in obtaining both of them for
consumers.
However, I want to stress that privacy and innovation are
not opposite ends of the spectrum. Innovation and privacy are
not a zero sum game. To the contrary, invasion thrives in an
environment of trust. And the assurance of privacy is integral
to consumer trust and new technologies.
I think over the past couple of years we have started to
reach a tipping point where consumers have developed
considerable mistrust about how their information is being
collected and used both online and off. I can refer you to my
written testimony for just a handful of any number of recent
studies demonstrating that modern consumers are very, very
worried about privacy and in many cases are resisting adoption
of technology such as location base services and mobile banking
applications because of concerns about protection of their
personal information.
In short, if consumers are unable to trust this
increasingly complex network of innovative services, then
innovation itself will suffer. For this reason we have seen a
number of leading companies step forward and say the United
States needs a flexible comprehensive privacy law.
Two years ago before this subcommittee was Intel and
Microsoft, who testified in a hearing about their support for
privacy legislation and the need for clear and consistent
consumer protections to encourage the adopting of cloud
computing technologies. But it is also increasingly emerging
niche players in smaller and developing markets who stand to
benefit from increased consumer trust of a result of consistent
privacy standards. So recently the chief strategy officer of
the Honda Group, which is a consulting firm for facial
recognition and digital signage companies that evaluate
consumer faces in public and try and decide what ads to show to
them, argued that our industry needed a legislative solution on
privacy, saying that whether through an expansion of the
Electronic Communications Privacy Act or under entirely new
privacy legislation I believe that clear and concise rules
regarding what can and cannot be collected and/or communicated
through digital media and integration will minimize unnecessary
confusion, vulnerabilities and liabilities to consumers,
network operators and deployers.
Now this is an industry at the bleeding edge of technology
arguing for baseline rules to promote trust in their products.
In fact CDT has worked really closely with members of this
industry to develop voluntary codes of conduct to promote that
trust. So far it is just the self-regulatory standards not
everyone has to follow. And there is concern that leading
actors will try to do the right thing to promote trust in the
ecosystem but the smaller free riders who are not as publicly
known or don't have a consumer effacing side will fail to
follow those same rules and will be able to coast on and
consume that goodwill from self-regulation. That is from those
who have agreed to protect consumers' privacy.
So for these reasons CDT has been really supportive of the
idea of comprehensive privacy legislation both to protect
consumers' rights, but also to foster confidence they can
engage with and adopt new services and technologies without
worrying that they have no idea and no way to find out what is
happening with their personal information.
I think the goal that legislation is trying to achieve
here, I hope not controversial, is to treat user information
reasonably, to follow the basic principles of transparency
about practices, but not requesting or retaining more
information than you need, giving users some measure of control
over what happens to their information. The hard question has
always been how do you take these high level ideas and turn
them into operational rules or reverse business practices and
technologies and industries. And how do you give companies
certainty that their practices will be deemed appropriate? You
could have very prescriptive technology specific legislation
which would have to be updated constantly like the Tax Code. At
CDT we push against that approach because we don't think
statutory law should mandate particular technological solutions
and that law will have trouble keeping pace with the
technological innovation.
The value of the voluntary code of conduct approach is that
industry will have a key role in taking a hand at developing
the specific rules that they will be following because they
typically have the most knowledge about how the technology
works and what will and will not be practical. We believe this
is the best way to create certainty for companies and encourage
privacy innovation over time and reward the adoption of
accountable practices.
Another way to do it could be through FTC rulemaking and
enforcement powers and useful backstops. But I think the
preferable ideal approach is for stakeholders to come together
to develop reasonable, rational flexible rules for industry
players that they can rely upon as they develop new ad innovate
consumer services.
Now we have some concerns about whether this multi-
stakeholder process will work without substantive law in place,
that you need to get soft safe harbor compliance, deemed
compliance for. Ultimately I think it will be necessary for
legislation to incentivize companies to come to the table to
work on these industry wide codes of conduct. However, we
understand the administration's desire to move forward giving
consumer concern about privacy. And we are hopeful that there
are some areas where there are sufficient incentives to get
everyone to the table to agree to good strong reasonable
privacy rules. If that happens we can make substantive progress
on privacy now and we will have a model that should inform the
shape of privacy legislation in the future.
Thank you very much again for holding this hearing. I look
forward to discussing this issue with members of the committee.
[The prepared statement of Mr. Brookman follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Mrs. Bono Mack. Thank you, Mr. Brookman. I am going to
recognize myself for 5 minutes of questioning, and I would like
to start with Mr. Szoka.
You criticize the White House's decision to use the phrase
``Bill of Rights'' in describing its privacy principles. Why do
you think that term is problematic?
Mr. Szoka. Well, for the very reason you heard today, the
term is now being used as a shorthand for regulatory framework.
We have a Bill of Rights in this country. I happen to consider
it the basis of our Constitution, of our civil liberties. The
White House essentially has appropriated that term for its own
purposes. Now you might think that the White House report is a
fairly good document. You might think we should do something on
privacy, but I don't think it is appropriate to use that term.
And I think if you look at the historical provenance of the way
the term in general Consumer Bill of Rights has been used in
this country, you go back to President Kennedy's 1962 Consumer
Bill of Rights. I still wouldn't have used the term then, but
even there the rights he was focused on were primarily rights
against deception and harm. And in my opinion those are things
already covered today by the FTC's act. They are things that
should be the basis for legislation. That is a very fine
concept for us to talk about. But for us to put the term
``rights'' into this conversation I think is counterproductive.
It makes it difficult for us to recognize the complex tradeoffs
that are at issue here.
Mrs. Bono Mack. Does anyone else care to comment on that?
No.
OK, let me ask the second question, and I will start with
Mr. Szoka again but open it to anybody who would like to
answer. I think whenever we use anecdotal questions, as Mr.
Markey did and talked about online privacy for children, I
think that was very important. But the question came to me, he
used an example of a 16-year-old searching weight loss products
and suddenly began being bombarded with weight loss ads that
were negative for a 16-year-old. But at the same time as
somebody who cares very deeply about the problem of drug abuse
in this country that 16-year-old was searching on the Web for
OxyContin. Could not that same child be targeted with ads for
rehab or recovery or drugfree.org? Couldn't there be the same
opportunity for good in that example? Does anyone want to
comment on that?
Mr. Szoka. If I may, absolutely. I think it is important to
remember here that when we talk about messaging we are not just
talking about selling products, we are talking about that sort
of expression. It could be for a health message, it could be
for any sort of social message, health message or religious or
political message. I also think it is important on that
particular example on Mr. Markey's bill to recognize that any
time we start talking about segmenting users by age we are very
limited in what we can do. COPPA strikes a good balance. If you
go beyond that you essentially wind up with an age verification
mandate system, which the Supreme Court has declared
unconstitutional.
Mrs. Bono Mack. Anyone else wish to weigh in on that?
Mr. Zaneis. Sure, I would like to. What you are describing
is exactly the power of the Internet, which is the ability to
provide relevant content. Sometimes that relevant content is
also the advertising. We have to be very careful not to close
the line into truly sensitive data categories. And the industry
has really since 1999 had a self-regulatory program through the
network advertising initiative, which cordons off certain
practices in data categories we think should be off limits.
But I think the key thing is it is not just about what you
specifically are looking for. One of the powers of the Internet
is this discoverability and learning things new and being
exposed to new ideas and new products. And I think because of
the data then flows online, that is enriching in the consumer
experience in exactly the way that you describe.
Mrs. Bono Mack. Thank you. Mr. Zuck.
Mr. Zuck. Just briefly to follow on what Mr. Szoka said, I
think it is not only a constitutional problem, but as a
programmer I have to call it a technical problem to do age
verification. In the absence of some kind of universal
biometric verification across the country, which a lot of
people would take issue with, I think the actual feasibility
from a technical perspective of identifying people's age is
something that really has to be taken into consideration as
well.
Mrs. Bono Mack. I want to actually move to the next
question to you quickly with 1 minute left. You are an
international organization with firms throughout the world. How
many U.S. firms versus non-U.S. firms do you have? And is there
a reason the U.S. is leading innovation in the Internet space?
And has the EU privacy directive hurt innovation?
Mr. Zuck. Thank you, Chairman, it is an excellent question.
As an organization we have about 4,000 members totally and
3,000 of them in the U.S. and perhaps about 1,000 outside the
U.S., and many of those in Europe, and so have had a chance to
hear the stories from both sides.
I think the reason the United States leads the world
innovation is because of the level experimentation that is
permitted in our economic system. So small businesses being
able to try things, bring out new products that people wouldn't
expect to succeed, and then quickly pull them off the market if
they fail, et cetera. Experimentation both in terms of business
model, experimentation in terms of the labor you are consuming
as a business are all things that make it possible for
entrepreneurship to thrive much better here than it does in
Europe. And there have been plenty of studies that have
affirmed the fact that undue regulation in Europe has stunted
the growth of Internet based startups in the continent.
Mrs. Bono Mack. Thank you, Mr. Zuck. My time has expired. I
am going to recognize Mr. Butterfield for 5 minutes, and we
have 2 votes on the floor. We will take a brief recess for the
votes.
Mr. Butterfield. Thank you. I will accelerate this.
Consumer choice about when and whether to disclose information
can often make an illusion. For example, it appears that
consumers have a choice about whether to give up personal data
in exchange for participation in a supermarket's frequent
shopper card program, for example. But we all know in the
current economy families are struggling to make ends meet. So
when a constituent or citizen trying to keep food on the table
and--let me try that again. So when constituents are trying to
keep food on the table and the difference between signing up
and not signing up is somewhere between $3 and $5 for cereal,
they don't have a choice. And for a family those differences
can add up to many dollars. Imbalances in economic power and
imbalances in the control of information needed for basic life
functions such as doing most jobs in an information economy
have made the choice over whether to give out personnel data
and illusion.
Please help me, Mr. Brookman, I just want, given the point
you raise in your testimony, do you have additional thoughts on
these observations?
Mr. Brookman. Yes. By and large I am actually generally OK
with people paying with their privacy as opposed to paying
higher dollars for goods and services as long as there is a
robust market for the products. So if one wants to get and use
their Safeway card and Safeway is going to give them cheaper
prices in exchange for some privacy, I mean if they don't like
that they can either not do it or go down the street to the
Harris Teeter. I think as long as it is transparent, I think
that is fine.
I think part of the problem with the online information
sharing is that it is not really transparent. Right now if I
want to evaluate New York Times versus Fox News for which one
treats my privacy better, which one is sharing more information
on me, I actually cannot make that determination. I can try to
install add-ons, I can try to figure out what is going on but I
need to be pretty technically sophisticated in order to do
that.
I think there have been improvements with the Icon program,
has made some progress in that direction. I think by and large
there is not a lot of education to teach people what that
means. I think whenever I talk outside of D.C. About the Icon
program, I ask people do you guys know what it does, generally
no one raises their hands. So I think more needs to be done for
publishers and advertisers to make that value proposition clear
to consumers, but as long as there is a value proposition I
think that does offer people better alternatives to make
decisions for themselves about what they want to do.
Mr. Butterfield. Thank you. I yield back.
Mrs. Bono Mack. I thank the gentleman. The chair recognizes
Dr. Cassidy before we break for the floor vote.
Mr. Cassidy. Mr. Szoka, I found all of your testimony
provocative but let me start with you. You dispute, somehow
disagree with the concept that my privacy would be considered
as a property right. I think, I don't want to mischaracterize,
you know so much more than me. I am trying to understand, I am
the pupil here. But I get a sense the logical extension of your
testimony is that minority report is quite OK, that I can walk
into a store and there will be some facial recognition software
that would say Bill Cassidy, 54-year-old fellow, who is a
little overweight, he needs a tailor. Will you please go down
the hall and you will meet the tailor?
One, that would be a troubling thing to be recognized as,
but secondly, again is the logical extension of your testimony
the minority report is OK?
Mr. Szoka. So I do agree that the property metaphor is not
a useful one for privacy. And the reason is that, for instance,
we are all here in this room. We all might in some sense own
our shared experience, but it is a shared experience. If you go
down the road of propertytising personal information and our
interactions with each other you create what I think becomes an
unworkable system of information control precisely because
those interactions are shared. If you take an off-line
example----
Mr. Cassidy. But What is the limit? What would be your
limit that you would establish what someone could do with my
personal information?
Mr. Szoka. As I said today and in my testimony, the clear
limits are harm and deception.
Mr. Cassidy. On the other hand, me walking into the mall
and having facial recognition software directing me, that is
Bill Cassidy, let's send them down here, would that be a limit
that you think--would that be over the limit or on the good
side of the limit?
Mr. Szoka. Well, in principle I think that those systems
can be done consistent with my conception of privacy. I think
what we need to do is look at how they are actually likely to
be done. And in this respect I would point you to the good work
that my colleagues at CDT, Harley Geiger in particular, have
done, describing the ways in which they think that self--that
industry is likely to actually implement those systems in the
privacy protection phase.
Mr. Cassidy. But now I am actually asking for the specific
question. Facial recognition software when I walk into Tysons
Corner directing me to a store that they kind of figure out I
need, is that an appropriate use, is that over the bounds or
within the bounds of what we should be doing regarding privacy?
Mr. Szoka. I think it certainly can be an appropriate use.
And just the same way I think that we are seeing concern today
about that it much resembles the concern about cameras and
photography.
Mr. Cassidy. I disagree with that and I saw your analogy,
but I will also say that if there is a picture taken of me in a
public event with folks who are not public figures, there is a
request that they sign over or the paper says maybe it is with
children I have noticed this, they get specific approval to use
that.
Now, Mr. Brookman, would you agree that facial recognition
software is an appropriate use, et cetera, et cetera?
Mr. Brookman. I think you draw attention to a really
important point and this kind of goes to the harm question we
keep talking about. I think there is some sort of harm, the
surreptitious pervasive collection of personal information
about ourselves that we have no control over whatsoever. And I
think you are absolutely right that it becomes scarier as
technology becomes more and more sophisticated. It is not just
online anymore, it is not just the fact that I can't be private
online. It is increasingly going to be the fact that I can't
walk down the street in public anymore without having cameras
collect who I am and watch where I go and create bread crumb
trails about my self over time.
And yes, to some extent increasingly everything we do about
ourselves is observable. And I think there needs to be some
sort of limitations on what companies can do about that.
Mr. Cassidy. Where is the limitations?
Mr. Brookman. I would say for private companies tracking
what you do in public, I would say that this is the guidelines
we have worked with some facial recognition companies on, is
they should not remember who you are over time and correlate
over time or identify you without your permission.
Mr. Cassidy. So I am a doctor, I can look at someone and I
can say at times they have liver disease because their eyes are
yellow or they have psoriasis because they have a patch of a
rash on their elbow or they have HIV because they have a
characteristic physical thing that is a side effect of some of
the medication.
Now is that appropriate for that computer software to
figure out what I as a doctor can figure out?
Mr. Brookman. I am happy to consider that particular
technological development.
Mr. Cassidy. It is very simple, I can promise you. That
would be so easily programmed to know if someone is on
steroids.
Mr. Brookman. The camera would detect this person is on
steroids?
Mr. Cassidy. Yes.
Mr. Brookman. Should cameras be doing that? I think that is
not a good practice. The question becomes should there be a law
against it? And that becomes harder because there are First
Amendment implications of that. But I think as we saw in the
recent Supreme Court Jones case the question whether a car
going around in public, can the police use technology to
monitor that 24/7? And the majority of justices said, no, even
though you are in public and things are observable, you have
some sort of privacy interest and the fact that even though you
are in public you don't expect you will be watched and
monitored and surveilled and your information collected over
time. That was a government case.
Mr. Cassidy. So if I am at Tysons Corner they should not
use a facial recognition to figure out----
Mr. Brookman. Right. They should not recognize you or
recognize the fact that you were last week shopping at
Victoria's Secret.
Mr. Cassidy. By the way, I wasn't. Thank you, I yield back.
Mrs. Bono Mack. The subcommittee will stand in recess for
these two votes. Hopefully we will be able to return within 20,
25 minutes, something like that. Lord only knows. If you will
stand by, we will return as quickly as we can. The subcommittee
is in brief recess.
[Recess.]
Mrs. Bono Mack. The vice chair of the subcommittee for 5
minutes, Mrs. Blackburn. You are recognized for 5 minutes.
Mrs. Blackburn. I am so thrilled that you all are hanging
with us today. Little did we know when we planned this hearing
that we were going to have five vote series today, but that is
where we are.
Berin, I want to come to you. Last panel I talked a little
bit about the FTC having sufficient authority to move forward
to enforce privacy violations and then if they enforced section
5 and do it right would that be enough. And we talked a little
bit about where the gap is, FTC and Commerce. I would love for
you to comment on where you think the gap is.
Mr. Szoka. Thank you, Congresswoman. Remember the FTC has
two authorities. The deception authority allows it to enforce
statements that a company makes, including participation in
self-regulation. I think that becomes the powerful tool by
which self-regulation, if a company accedes to it, is legally
binding as it should be. The unfairness authority I think is
where the FTC can do both the most good and the most damage,
depending on how it uses that authority. And I would point the
committee in particular to the Frost wire case I mentioned in
my testimony where to make a long story short the FTC I think
made a solid argument that industry practice against having
apps that would share every single file on your phone and not
tell you about it and make it difficult for you to stop that,
that that was an unfair practice in part because it didn't meet
industry practice. In other words, I think that the FTC can use
unfairness to punish laggards that do not keep up with industry
practice, but I think they need to be very rigorous in their
analysis of benefits, harms and the degree to which a consumer
can avoid a harmful practice.
Mrs. Blackburn. So you see a need for some flexibility?
Mr. Szoka. Flexibility, but I also think what is important
is the FTC explains ahead of time how it is going to apply that
authority, and in that respect I would love nothing more than
to see from your committee the sort of letter that prompted the
FTC in 1980 and 1983 to issue its policy statements on
unfairness and deception. And that would be a letter that
simply asks the FTC to explain in its recent cases how it has
applied those doctrines, how it actually evaluates whether
harms outweigh benefits and it provides rigor so that
companies, especially startups, can understand and predict what
could be considered unfair.
Mrs. Blackburn. OK. Let me just tag onto this because I
know you have criticized the White House for using the term
``Bill of Rights'' when they look at their privacy principles.
So if you are wanting to see those guidelines and see something
that gives you that rigor, if you will, then why criticize that
term?
Mr. Szoka. The White House proposal provides high level
principles. I think they are fairly good principles, but they
are abstract. And we cannot apply them strictly speaking. For
example, to say that consumers have a right to control
information about them I think is problematic because in fact
the way that our privacy law rightly has developed that sort of
concept is to say that in certain circumstances you don't have
a right to control, for example, what a credit bureau says
about you if it is truthful. What you have a legal right to do
is make sure that it is accurate. So the trick again is
translating those principles into workable guidelines. I think
to call them rights from the outset and put them in strict
terms is unhelpful because it is not how we actually apply
them.
Mrs. Blackburn. So we should keep the terminology stating
principles and guidelines and not move into that.
Mr. Zuck, I like all the talk about innovation and jobs
growth and potential and I share a lot of that optimism. I
enjoy sharing that optimism with you all. What bothers me in
spite of all the positive job numbers, opportunities for
growth, innovative new products that are there. We are having a
hearing essentially about what big government to do in order to
solve these problems and make people safer online.
I would like to hear your thoughts on how we found
ourselves in this awkward place where people love the
technologies and the applications but they do not trust all the
players that are in this online ecosystem. And what do you
think is the main driver of that uncertainty? And I am now down
to 43 seconds, so have at it.
Mr. Zuck. Well, I think there are a couple of issues that
play there. One of them is the conflation of data breach and
privacy. A lot of news, a lot of what caused the panic, if you
will, among the everyday consumer are large headlines about the
fact that Sony lost 70 million names and credit card numbers.
That is the kind of thing no matter what notice they were
provided, what other policy was in place, that is something
that should have happened. I think data breach is something
that has to be dealt with separately and we support that.
The other thing are simply privacy issues that happen on
such a large scale and drive headlines, whether it is Facebook
with the Beacon incident that happened or Google's almost
pathological disregard for privacy or public safety. And I
think as that continues to come up in the press it gives people
a certain fear, it leads to poll results that say I am worried
about my privacy. But then when it comes to metal hits the road
and we are talking about let's regulate mobile apps, I think we
are really missing the point. I think the real answer lies in
reinforcement from organizations like the FTC, but to the
extent possible without putative measures so people feel the
heat of that enforcement, instead of jumping immediately to
regulation.
Mrs. Blackburn. Thank you for that. I have a follow-up
question, but I will submit that as a question for the record
in the interest of time, but I would like to take that
discussion a little bit further with you. Thank you, I yield
back.
Mrs. Bono Mack. Thank you, Mrs. Blackburn. I am going to
start with our second round of questioning and recognize myself
for 5 minutes. And Mr. Brookman, just a follow on to your
conversation or dialogue earlier with Dr. Cassidy. He drew an
analogy between the use of facial recognition technology in the
mall to a Supreme Court decision in the U.S. v. Jones which
involved the police putting a trace tracking device on a car.
The court rightly in my opinion did find the Fourth Amendment
did apply in that case. But isn't the government's involvement
an important distinction, should we automatically be applying
the same protections against nongovernment actors?
Mr. Brookman. No, I absolutely agree to the fact that the
government in that case was the key distinction. I was focusing
more on the theory that the plurality of justice, Justice
Sotomayor, Justice Alito's opinion focused on the fact that
even though we are in public there are some inherent privacy
rights. We don't expect to be watched and monitored and
surveilled all the time. Yes, it is worse when it is the
government who have the guns and can put us in prison. I think
the principle also applies if it is the case and I am walking
down the street I don't have the ability to stop these nameless
and faceless companies from developing really detailed profiles
about me or even my own home. Some of the technology in the
government surveillance cases in the nineties were about like
these thermal imaging things. You can get them for $5 now, they
are available to any person or company.
There is a study recently by some researchers at the
University of Washington that pointed out that just by looking
at public--the way your phone line or power line vibrates from
the outside you can tell what television shows people are
watching inside. So it is increasingly the fact that technology
is making it really easy not just for the government but also
for individuals and companies to surveil us no matter where we
are. As people we want to have some zone of privacy where we
are not being watched and monitored or assessed.
Even when it is just for beneficial purposes or benign
purposes like advertising, I don't think advertising is bad at
all. I like advertising. It absolutely does fuel the Internet.
That information can still be lost or accessed by the
government, or breached, or repurposed in some way I don't
necessarily expect. There has to be some sort of basic
limitations on collection as technology makes the case that
everything becomes inherently observable.
Mrs. Bono Mack. Thank you. I am going to move on to Ms.
Horan. You know that Mrs. Blackburn and I for all of our
careers here have been focused on intellectual property. We
want to make sure that people who create valuable content not
only are rewarded, but we encourage people to create whether
they are a reporter needing to write an article, like an
earlier example of the New York Times. That is what this has
been all about for a long time. I think in your world the
newspapers and online publishers have scrambled to adapt to the
disruptive technologies. And some have succeeded and some
failed. There is no doubt about it. But I agree with you or
agree with the people that believe consumers realize free
content is supported by advertising.
However, do you think that most consumers know that
advertising is conducted by third parties rather than your
members Web sites? The administration's proposal recognizes
that data may be used by first parties for marketing, but do
any or even a majority of your members conduct their own
marketing or do they use third party networks?
Ms. Horan. So I think consumers are getting smarter. I
think that is part of the responsibility of industry to
continue to educate. And our members have been active in the
program that the DAA has done to do an educational program. Our
members, some of our members do work with ad networks, it is a
subset of the membership. And the majority of the advertising
that our members serve is actually contextual. Those that are
working with ad networks it only represents a very small
portion, it is only about 2 percent.
So in terms of the experience that we are delivering, it
tends to be tied to the context of the content versus interest
based experiences.
Mrs. Bono Mack. Do you think in many of your membership
that there are examples of people of newspapers, publishers who
learned to survive simply because of this that otherwise would
have done by the wayside?
Ms. Horan. Advertising in general, that is the major
element that fuels the business. So being able to deliver an
experience to consumers where they do feel like they are in a
trusted environment is something that is absolutely paramount,
as I mention in my testimony. Obviously I am speaking for the
members that we represent and these are obviously brands that
have had long-term relationships across different media, as you
mention, newspapers and TV broadcasters for some time. But it
certainly is and will always be a priority that we deliver an
experience that consumers feel they are in a trusted
environment.
Mrs. Bono Mack. Have you noticed compared to the good old
fashioned, whether we called classified ads in the history
books almost anymore, have you noticed though consumers are
really preferring the new method over the old classified ads?
Ms. Horan. In terms of looking at the sheer amount of time
consumers are spending online, it has become more and more
where they are getting their news, information and
entertainment. The business model itself is something we are
absolutely committed to looking at how we evolve because you
are absolutely right, a significant portion of the advertising
revenue that has been part of the print world has diminished.
And so online we are looking at ways to try to augment that.
Certainly advertising will always be the most substantial
revenue that our members garner, but we are certainly looking
for other ways to complement that revenue in order to sustain
the business.
Mrs. Bono Mack. Thank you. Mr. Zaneis, do you want to
respond?
Mr. Zaneis. I know we are short on time. I just want to
make a couple quick points. It is not just about behavioral
advertising, it is really about data collection. So we
represent many of the original content producers as OPA does as
well. And for them it is key that they have to be able to do
things like frequency cap, marketing message, so they don't
deliver the same ad 15 times. If the consumer didn't click on
that ad the first 14 times, they are not going do it the 15th.
It is also about content customization which requires
information exchange. And I think one problem with the FTC's
report is that they don't recognize affiliates as first party.
And so you can't have this synergy and we know that companies
build brands, and that the ability online to kind of bring
those Web sites together to create a richer, more vibrant
experience to the consumer is key. We ought to respect all of
those as first parties.
Mrs. Bono Mack. Thank you. My time has expired. Mr.
Butterfield, you are recognized for 5 minutes.
Mr. Butterfield. Thank you. Mr. Brookman, I am going to try
a question on you that I posed to the first panel. The
administration's privacy report advances a framework that
includes the development and implementation of industry codes
of conduct in parallel with Congress working on and passing
baseline privacy legislation. To the extent that the FTC
intends to participate in the development of these codes and
has also endorsed the idea of Congress passing baseline privacy
legislation, it also seems to endorse the idea that these
things should happen in tandem or in concert with each other.
Some are already arguing that these two pieces should be
delinked from one another; that is, the development and
implementation of codes of conduct should completely play out
before Congress takes any action on baseline legislation.
I get the sense that you would be among those who would
disagree with this view. Can you elaborate on that for me.
Mr. Brookman. Yes, I definitely would. I think the
administration kind of come out and said it would be better it
if we had a law right now that gives everyone an incentive to
come to the table to develop reasonable codes. With that said,
we don't have a law right now, so we are going do what we can
with the limited tools we have. I mean I think they have the
ability maybe in some ads cases with a lot of attention to use
the bully pulpit to get some folks to come to the table to
agree to some strong rule. But by and large they are not. They
can probably get Google and Facebook and Yahoo and Microsoft
into the room. But the smaller players really don't have any
incentive, there is no requirement, there is no substantive law
out there saying you have to tell people what you are doing
with the information, let's create a safe harbor program to say
what that means.
So I think the convenings in the meantime I think were
hopeful, I think there is a role they can serve, but they are
not going to be a comprehensive solution by any stretch of the
imagination. I think there should be a law passed to give
everyone reason to kind of come forward and say you know what,
this is a reasonable code of conduct for my industry, I will
agree to that and so consumers can have some certainty about
what happens to their information online.
Mr. Butterfield. Would you support requiring all Web sites
or mobile apps to have a privacy policy?
Mr. Brookman. Yes. I think--I mean I think all Web sites
are kind of required to today by California law. And I think
industry self-regulation requires that. That said, we said that
mobile applications should probably do the same. Private
policies in and of themselves are not that great. We have had
privacy policies 15 years. I don't think anyone on this panel
or elsewhere thinks that solved privacy problems. They are
dense, they are inscrutable, and they are not really
recitations of what the companies are actually doing. They are
just often reservations of rights. They are written defensively
because the limited law the FTC has is just don't deceive. So
the easiest way to get in trouble under FTC law is to go out of
your way to make a misrepresentation.
Mr. Butterfield. Are these policies recommended by the FTC
report?
Mr. Brookman. I believe the FTC report thinks yes, they
should require----
Mr. Butterfield. OK, let me go down the line and ask if you
agree or disagree and then we will be done.
Mr. Szoka. I think it is premature for Congress to
legislate a prescriptive solution precisely because, as said,
the devil here is in the details. It is a question of trans----
Mr. Butterfield. You are talking about apps and Web sites?
Mr. Szoka. Well, in general. I think translating principles
that are in the White House report and the legislation is
premature. I am actually sympathetic to the idea of requiring
Web sites and apps to disclose their privacy practices. I think
there again though the question is about the implementation of
that requirement and how to do it in a way that allows sites to
accurately describe what they are doing and give themselves up
for enforcement if they fail do that, but not if they fail to
put a round peg in a square hole.
Mr. Butterfield. I guess my question is would you support
or not support requiring all Web sites and mobile apps to have
a privacy policy?
Mr. Szoka. I think in principle that is a much better place
for legislation to start than actually prescribing practices.
Mr. Butterfield. So you don't have a fixed opinion on that?
Mr. Szoka. I think it is a promising idea in principle but
in practice----
Mr. Butterfield. Mr. Zuck, let's try you and then Ms.
Horan.
Mr. Zuck. I think the discussion here is an opportunity for
me to reiterate some of the problems with big companies versus
small companies. Mr. Brookman suggested that somehow the bully
pulpit was more effective for big companies than small ones.
But I would suggest the small companies because of their
proximity to their customers are actually engaged in an ongoing
dialogue and amending their policies on a day-to-day basis.
Moms with apps, for example, have come up with a series of
privacy icons in order to better communicate----
Mr. Butterfield. So do I take that as a yes or no?
Mr. Zuck. Well, I think it is complicated question. I think
the FTC's focus on sharing data with third parties unduly
benefits large companies that own their own ad networks to the
disadvantage of small businesses that wouldn't survive.
Mr. Butterfield. Let me try the next witness. We are
running out of time. Ms. Horan.
Ms. Horan. Based on California law today all of ours do
have privacy policies.
Mr. Butterfield. And so you agree with extending that
nationwide?
Ms. Horan. [Nods.]
Mr. Zaneis. I think the FTC report, the chairman was very
clear it was not a regulation, it was not a law, it was best
practice. So as a best practice companies should have privacy
policies. What we shouldn't do is not make those a stagnant
practice, we should innovate the ad choices icon as an example
of notice innovation. Just as you pointed out, Mr. Butterfield,
Google's new comprehensive privacy policy is a wonderful
innovation for consumers to bring all of those disparate
policies together in a simple, very clear way. That is what the
industry should be doing instead of having codified very
detailed privacy policies, and Justin and everybody else agrees
it doesn't really works for consumers.
Mr. Butterfield. All right. Thank you.
Mrs. Bono Mack. Thank you, Mr. Butterfield. Mrs. Blackburn,
you are recognized for 5 minutes.
Mrs. Blackburn. We are going to try to get you all out of
here before the next vote series. Mr. Zaneis, let me ask you
this one. I talked with the FTC about their report, their
privacy report, and I think the thing is absolutely
fascinating. But let me talk to you about this definition on
the information brokers. And I am quoting from the report. The
Commission recommends that Congress consider enacting targeted
legislation to provide greater transparency for and control
over the practices of information brokers. Further, the report
says that data brokers are companies that collect information
from a wide variety of sources for the purpose of reselling
such information to their customers for various purposes.
Now with my constituents in Tennessee, as we have discussed
privacy, one of the things they have brought up to me most
often is, hey, you know we don't want be classified as a data
broker. This is not what we do. And they are very concerned
about having a web, throwing a real big web out there. So given
the broad and ill-defined language that is in this report,
looking at it in that manner, how many data brokers would you
say that the universe of data brokers is that the FTC is going
to find in the U.S. marketplace?
Mr. Zaneis. I think there is the real threat that they
could cover basically the entire Internet, virtually every Web
site, especially if you remember the fact that the FTC does not
treat affiliates as first parties. They are now a data broker.
Virtually every Web site has multiple sites.
Congressman, in your State you have more than 25,000 people
that depend upon, their jobs upon Internet advertising
directly, and I think all of them would fall under this bill.
Mrs. Blackburn. OK. So all of these innovators in the auto
industry, and the financial service industry, and the banking
industry, and the insurance industry, the entertainment
industry, the health care industry, all of those guys that have
been saying don't cast this net so widely, they would be
trapped in that, or then it would be an enormous bureaucracy, I
would think, that the FTC would have to build to start to
regulate this.
Mr. Zaneis. I think if they used their definition that you
read aloud in the report, and they put the restrictions on that
we have seen in other very narrowly-tailored data broker bills
and have passed this committee in the past because they were so
narrow, you absolutely would have an all-encompassing
regulatory net.
Mrs. Blackburn. OK. Let me move on. I have got a poster
that I want to put up and talk with you about. With Mr.
Strickling and Mr. Leibowitz I talked a little bit about my
concern over the EU-style Do Not Track. And I wanted to look at
these ad revenues. And I have these out of an article, it is 11
Trends for 2011, eMarketer. Now, this shows that American Web
sites would lose $33 billion over 5 years if Congress mandated
the EU-style opt-in consent for interest-based advertising. So
what I would like to hear from you all, looking at the
potential of over a 5-year period losing that amount of money,
do you agree with these numbers? Would it have that enormous an
effect? How would you rank that? What are your thoughts?
Mr. Brookman, let me start with you and just work down. We
have got 1 minute left.
Mr. Brookman. I think this is an extrapolation of the
Catherine Tucker MIT study which, again, did not actually say
that they would lose this sort of massive amounts of money.
That study basically just showed people ads in both Europe and
the United States. They didn't know whether the ads were
targeted or not, didn't know whether targeting was happening at
all. So the people in the United States reacted--just said,
they didn't buy, said they more likely to buy a product as a
result of an ad. As a result of that mere study--so the study
did not show this at all.
Mrs. Blackburn. Let me move on. We are running out of time.
Mr. Zaneis.
Mr. Zaneis. The study measured the effectiveness of
advertising. One thing we know is that based on the NAI study,
targeted ads are 2.5 times more effective than nontargeted ads.
I think actually the effect might be even higher, because some
of these economic numbers are a little bit old, they are based
on an IAB study of the Internet economy.
Mrs. Blackburn. OK.
Ms. Horan. It would have huge implications. As I mentioned,
just the CNET example, the ability to customize content and be
able to provide an enhanced experience online.
Mrs. Blackburn. So you would say we are looking at at least
that much. Mr. Zuck?
Mr. Zuck. I definitely would agree that we are looking at
at least this much. And you only need to take a step back from
the numbers and realize that the EU data privacy practices have
eliminated the ability really to introduce products for free.
And that is why there is this distinction in the innovation
between the two places.
Mrs. Blackburn. Mr. Szoka.
Mr. Szoka. I think the chart is helpful because it is
directional. It helps people understand the implications of
what is otherwise a difficult thing to understand, which is the
difference between two techniques and how they are used. And to
say that of course this is an extrapolation, as Justin says,
and the important thing is not the total number, but to say
that that difference in, you know, technique A versus technique
B because of a regulatory mandate does have a large effect.
Mrs. Blackburn. Excellent. I yield back.
Mrs. Bono Mack. I thank the gentlelady, and want to thank
our panel very much for your hard work and your expertise in
these areas. We thank you for being here today before us.
At this point, I am going to ask unanimous consent to
submit for the record Commissioner Rosch's dissenting statement
regarding the FTC's privacy report dated last Friday, March 26.
Mr. Butterfield. Without objection. And I would like to be
recognized for a similar request.
[The information follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Mrs. Bono Mack. The gentleman is recognized.
Mr. Butterfield. Thank you, Madam Chairman. I too would
like to ask unanimous consent to include two reports in the
record. One is the White House report dated February 2012 that
we have talked about throughout this hearing, as well as the
FTC report that is dated March 2012.
Mrs. Bono Mack. Without objection.
[The information is available at http://www.whitehouse.gov/
sites/default/files/privacy-final.pdf and http://www.ftc.gov/
os/2012/03/120326privacyreport.pdf]
Mrs. Bono Mack. And so as I mentioned earlier, this was the
sixth in our series of privacy hearings in the past year. And
if we have learned one thing, it is simply this, that there are
no easy answers or quick fixes when it comes to protecting
consumer privacy online. But as a subcommittee, we are going to
keep working hard at it. And I look forward to our continued
discussions.
I remind members that they have 10 business days to submit
questions for the record, and ask the witnesses to please
respond promptly to any questions you might receive. And the
hearing is now adjourned.
[Whereupon, at 12:38 p.m., the subcommittee was adjourned.]
[Material submitted for inclusion in the record follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
�